PT-2022-5034 · Mozilla+10 · Thunderbird+12
Armin Ebert
·
Published
2022-09-20
·
Updated
2024-12-12
·
CVE-2022-40959
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Firefox ESR versions 102.2 and earlier
Thunderbird versions 102.2 and earlier
Firefox versions 104 and earlier
Description
The issue is related to the implementation of the FeaturePolicy mechanism in Firefox, Firefox ESR, and Thunderbird, which is associated with incorrect restriction of visualizable layers or frames of the user interface. During iframe navigation, certain pages did not have their FeaturePolicy fully initialized, leading to a bypass that leaked device permissions into untrusted subdocuments. This could allow a remote attacker to bypass security restrictions.
Recommendations
For Firefox ESR versions 102.2 and earlier, update to version 102.3 or later.
For Thunderbird versions 102.2 and earlier, update to version 102.3 or later.
For Firefox versions 104 and earlier, update to version 105 or later.
Exploit
Fix
Clickjacking
Insecure Storage of Sensitive Information
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Almalinux
Astra Linux
Centos
Firefox
Firefox Esr
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Thunderbird
Ubuntu