Mozilla Foundation Security Advisory 2014-60

Toolbar dialog customization event spoofing

Announced

July 22, 2014

Reporter

David Chan, Gijs Kruitbosch

Impact

Low

Products

Firefox

Fixed in

Firefox 31

Description

Mozilla developers David Chan and Gijs Kruitbosch reported that it is possible to create a drag and drop event in web content which mimics the behavior of a chrome customization event. This can occur when a user is customizing a page or panel. This results in a limited ability to move UI icons within the visible window but does not otherwise affect customization or window content.

References

Toolkit toolbar dialog customization event spoofing (CVE-2014-1561)
New PanelUI / toolbar customization event spoofing

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Firefox Relay

MDN Plus

Fakespot

Mozilla Manifesto

Mozilla Foundation

Leadership

Get involved

Careers

Mozilla Blog

Impact

Firefox Developer Edition

MDN Web Docs

Mozilla Innovation Projects

Common Voice

Mozilla Foundation Security Advisory 2014-60

Toolbar dialog customization event spoofing

Description

References