Mozilla has patched a security issue in Firefox that could have allowed an attacker to spoof legitimate websites via a stealthily executed ‘full screen’ mode.
The vulnerability (CVE-2022-22746), which was present in Windows versions of Firefox, is a race condition bug that could result in the browser’s full screen notification warning being bypassed.This could enable an attacker to trick a user into clicking links or entering sensitive details on a fake website, among other malicious activities.
In controlling a full screen browser window without a user’s knowledge, the attacker can spoof the URL address bar of a genuine site something which is usually controlled by the browser, along with other ‘above the line’ trust indicators.
The attacker could go further to not only serve what appears to be the proper domain, but also the SSL padlock icon used to reassure web users that the site is HTTPS protected.
The vulnerability, marked as high severity, and fixed in Firefox 96 for Windows, as part of the browser’s first security release of 2022. A security advisory from Mozilla (January 11) lists several other security bugs that have now been patched in Firefox.
In addition to two further variations of attack, the release includes a fix for CVE-2021-4140, an iframe sandbox bypass with XSLT, among other bugs.