Mozilla Foundation Security Advisory 2016-58

Entering fullscreen and persistent pointerlock without user permission

Announced

June 7, 2016

Reporter

sushi Anton Larsson

Impact

High

Products

Firefox, Firefox ESR

Fixed in

Firefox 47
Firefox ESR 45.2

Description

Security researcher sushi Anton Larsson reported that when paired fullscreen and pointerlock requests are done in combination with closing windows, a pointerlock can be created within a fullscreen window without user permission. This pointerlock cannot then be cancelled without terminating the browser, resulting in a persistent denial of service attack. This can also be used for spoofing and clickjacking attacks against the browser UI.

References

mozRequestFullScreen + mozRequestPointerLock: bypassing pointer lock permission (CVE-2016-2831)

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Firefox Relay

MDN Plus

Fakespot

Mozilla Manifesto

Mozilla Foundation

Leadership

Get involved

Careers

Mozilla Blog

Impact

Firefox Developer Edition

MDN Web Docs

Mozilla Innovation Projects

Common Voice

Mozilla Foundation Security Advisory 2016-58

Entering fullscreen and persistent pointerlock without user permission

Description

References