CVE-2021-43538

medium

Description

By misusing a race in our notification code, an attacker could have forcefully hidden the notification for pages that had received full screen and pointer lock access, which could have been used for spoofing attacks. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95.

References

https://www.mozilla.org/security/advisories/mfsa2021-52/

https://www.mozilla.org/security/advisories/mfsa2021-54/

https://www.mozilla.org/security/advisories/mfsa2021-53/

https://bugzilla.mozilla.org/show_bug.cgi?id=1739091

https://www.debian.org/security/2021/dsa-5026

https://lists.debian.org/debian-lts-announce/2021/12/msg00030.html

https://www.debian.org/security/2022/dsa-5034

https://lists.debian.org/debian-lts-announce/2022/01/msg00001.html

https://security.gentoo.org/glsa/202202-03

Details

Source: MITRE

Published: 2021-12-08

Updated: 2022-03-16

Type: CWE-362

Risk Information

CVSS v2

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

CVSS v3

Base Score: 4.3

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Impact Score: 1.4

Exploitability Score: 2.8

Severity: MEDIUM