By displaying a form validity message in the correct location at the same time as a permission prompt (such as for geolocation), the validity message could have obscured the prompt, resulting in the user potentially being tricked into granting the permission. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3.
The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with.
| Link | Tags |
|---|---|
| https://www.mozilla.org/security/advisories/mfsa2021-49/ | vendor advisory |
| https://www.mozilla.org/security/advisories/mfsa2021-50/ | vendor advisory |
| https://www.mozilla.org/security/advisories/mfsa2021-48/ | vendor advisory |
| https://bugzilla.mozilla.org/show_bug.cgi?id=1366818 | issue tracking permissions required vendor advisory |
| https://www.debian.org/security/2021/dsa-5026 | third party advisory vendor advisory |
| https://lists.debian.org/debian-lts-announce/2021/12/msg00030.html | third party advisory mailing list |
| https://www.debian.org/security/2022/dsa-5034 | third party advisory vendor advisory |
| https://lists.debian.org/debian-lts-announce/2022/01/msg00001.html | third party advisory mailing list |
| https://security.gentoo.org/glsa/202202-03 | third party advisory vendor advisory |
| https://security.gentoo.org/glsa/202208-14 | third party advisory vendor advisory |