Mozilla Foundation Security Advisory 2016-58

Entering fullscreen and persistent pointerlock without user permission

Announced
June 7, 2016
Reporter
sushi Anton Larsson
Impact
High
Products
Firefox, Firefox ESR
Fixed in
  • Firefox 47
  • Firefox ESR 45.2

Description

Security researcher sushi Anton Larsson reported that when paired fullscreen and pointerlock requests are done in combination with closing windows, a pointerlock can be created within a fullscreen window without user permission. This pointerlock cannot then be cancelled without terminating the browser, resulting in a persistent denial of service attack. This can also be used for spoofing and clickjacking attacks against the browser UI.

References