Mozilla Foundation Security Advisory 2015-26

UI Tour whitelisted sites in background tab can spoof foreground tabs

Announced

February 24, 2015

Reporter

Matthew Noorenberghe

Impact

Moderate

Products

Firefox

Fixed in

Firefox 36

Description

Mozilla developer Matthew Noorenberghe reported that whitelisted Mozilla domains could make UITour API calls while the UI Tour pages for Firefox are present in background tabs. If one of these Mozilla domains was compromised and open in another tab, an attacker could then use that tab to engage in spoofing and clickjacking in any foreground tab.

References

UITour: onPageEvent doesn't ignore API calls from background tabs (CVE-2015-0819)

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Firefox Relay

MDN Plus

Fakespot

Mozilla Manifesto

Mozilla Foundation

Leadership

Get involved

Careers

Mozilla Blog

Impact

Firefox Developer Edition

MDN Web Docs

Mozilla Innovation Projects

Common Voice

Mozilla Foundation Security Advisory 2015-26

UI Tour whitelisted sites in background tab can spoof foreground tabs

Description

References