Your submission was sent successfully! Close

You have successfully unsubscribed! Close

CVE-2023-34414

Published: 7 June 2023

The error page for sites with invalid TLS certificates was missing the activation-delay Firefox uses to protect prompts and permission dialogs from attacks that exploit human response time delays. If a malicious page elicited user clicks in precise locations immediately before navigating to a site with a certificate error and made the renderer extremely busy at the same time, it could create a gap between when the error page was loaded and when the display actually refreshed. With the right timing the elicited clicks could land in that gap and activate the button that overrides the certificate error for that site. This vulnerability affects Firefox ESR < 102.12, Firefox < 114, and Thunderbird < 102.12.

Notes

AuthorNote
tyhicks
mozjs contains a copy of the SpiderMonkey JavaScript engine
mdeslaur
starting with Ubuntu 22.04, the firefox package is just a script
that installs the Firefox snap

Priority

Medium

Cvss 3 Severity Score

3.1

Score breakdown

Status

Package Release Status
firefox
Launchpad, Ubuntu, Debian
jammy Not vulnerable
(code not present)
kinetic Not vulnerable
(code not present)
lunar Not vulnerable
(code not present)
trusty Ignored
(end of standard support)
xenial Ignored
(end of standard support)
bionic Ignored
(end of standard support)
upstream Needs triage

focal
Released (114.0+build3-0ubuntu0.20.04.1)
thunderbird
Launchpad, Ubuntu, Debian
trusty Ignored
(end of standard support)
xenial Ignored
(end of standard support)
bionic Ignored
(end of standard support)
focal
Released (1:102.13.0+build1-0ubuntu0.20.04.1)
jammy
Released (1:102.13.0+build1-0ubuntu0.22.04.1)
kinetic
Released (1:102.13.0+build1-0ubuntu0.22.10.1)
lunar
Released (1:102.13.0+build1-0ubuntu0.23.04.1)
upstream Needs triage

Severity score breakdown

Parameter Value
Base score 3.1
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Scope Unchanged
Confidentiality None
Integrity impact None
Availability impact Low
Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L