icon_firefox[CVE-2017-7770] Addressbar spoofing with JavaScript events and fullscreen mode on Firefox for Android


https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7770

Addressbar spoofing with JavaScript events and fullscreen mode


Announced: June 13, 2017
Reporter: Jordi Chancel
Impact: Moderate
Products: Firefox
Fixed in: Firefox 54


  • Description :

Security researcher Jordi Chancel reported a mechanism where when a new tab is loaded through JavaScript events, if fullscreen mode is then entered, the addressbar will not be rendered.
This would allow a malicious site to displayed a spoofed addressbar, showing the location of an arbitrary website instead of the one loaded.

Note: this issue only affects Firefox for Android. Desktop Firefox is unaffected.


Vulnerability demonstration (video):


(Les détails de cette vulnérabilité concernant son exploitation et sa correction seront bientôt disponibles. Veuillez revenir d’ici quelques jours.)


Comments are closed.