CVE-2023-6867

medium

Description

The timing of a button click causing a popup to disappear was approximately the same length as the anti-clickjacking delay on permission prompts. It was possible to use this fact to surprise users by luring them to click where the permission grant button would be about to appear. This vulnerability affects Firefox ESR < 115.6 and Firefox < 121.

References

https://www.mozilla.org/security/advisories/mfsa2023-56/

https://www.mozilla.org/security/advisories/mfsa2023-54/

https://www.debian.org/security/2023/dsa-5581

https://security.gentoo.org/glsa/202401-10

https://lists.debian.org/debian-lts-announce/2023/12/msg00020.html

https://bugzilla.mozilla.org/show_bug.cgi?id=1863863

Details

Source: Mitre, NVD

Published: 2023-12-19

Updated: 2024-02-02

Risk Information

CVSS v2

Base Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 6.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Severity: Medium