Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2015-0819

Source

Mozilla Foundation Security Advisory 2015-26

UI Tour whitelisted sites in background tab can spoof foreground tabs

Announced

February 24, 2015

Reporter

Matthew Noorenberghe

Impact

Moderate

Products

Firefox

Fixed in

Firefox 36

Description

Mozilla developer Matthew Noorenberghe reported that whitelisted Mozilla domains could make UITour API calls while the UI Tour pages for Firefox are present in background tabs. If one of these Mozilla domains was compromised and open in another tab, an attacker could then use that tab to engage in spoofing and clickjacking in any foreground tab.

References

UITour: onPageEvent doesn't ignore API calls from background tabs (CVE-2015-0819)

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

UI Tour whitelisted sites in background tab can spoof foreground tabs

UI Tour whitelisted sites in background tab can spoof foreground tabs

Description

References

Vulmon Search

About

Products

Connect