CVE-2023-37207

Published: 5 July 2023

A website could have obscured the fullscreen notification by using a URL with a scheme handled by an external program, such as a mailto URL. This could have led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 115, Firefox ESR < 102.13, and Thunderbird < 102.13.

Notes

Author	Note
tyhicks	mozjs contains a copy of the SpiderMonkey JavaScript engine
mdeslaur	starting with Ubuntu 22.04, the firefox package is just a script that installs the Firefox snap

Priority

Cvss 3 Severity Score

6.5

Score breakdown

Status

Package	Release	Status
firefox Launchpad, Ubuntu, Debian	trusty	Ignored (end of standard support)
	xenial	Ignored (end of standard support)
	bionic	Ignored (end of standard support)
	jammy	Not vulnerable (code not present)
	kinetic	Ignored (end of life, was needs-triage)
	lunar	Not vulnerable (code not present)
	upstream	Released (115.0-1)
	focal	Released (115.0+build2-0ubuntu0.20.04.3)
thunderbird Launchpad, Ubuntu, Debian	trusty	Ignored (end of standard support)
	xenial	Ignored (end of standard support)
	bionic	Ignored (end of standard support)
	upstream	Needs triage
	focal	Released (1:102.13.0+build1-0ubuntu0.20.04.1)
	jammy	Released (1:102.13.0+build1-0ubuntu0.22.04.1)
	kinetic	Released (1:102.13.0+build1-0ubuntu0.22.10.1)
	lunar	Released (1:102.13.0+build1-0ubuntu0.23.04.1)

Severity score breakdown

Parameter	Value
Base score	6.5
Attack vector	Network
Attack complexity	Low
Privileges required	None
User interaction	Required
Scope	Unchanged
Confidentiality	None
Integrity impact	High
Availability impact	None
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

References

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›