Mozilla Foundation Security Advisory 2016-06

Missing delay following user click events in protocol handler dialog

Announced

January 26, 2016

Reporter

window

Impact

Moderate

Products

Firefox

Fixed in

Firefox 44

Description

Security researcher window reported an issue where the protocol handler dialog appears, double click events are treated as two single click events. This was caused by the lack of a delay following the initial focus in the file download dialog. This could cause a second dialog to be sent the second click, leading to unintentional user initiated actions, such as the running of downloaded software from a maliciously positioned prompt.

References

protocol handler dialog does not resist ui timing attacks (CVE-2016-1937)

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Firefox Relay

MDN Plus

Fakespot

Mozilla Manifesto

Mozilla Foundation

Leadership

Get involved

Careers

Mozilla Blog

Firefox Developer Edition

MDN Web Docs

Mozilla Innovation Projects

Common Voice

Mozilla Foundation Security Advisory 2016-06

Missing delay following user click events in protocol handler dialog

Description

References