First published: Mon Apr 19 2021(Updated: )
A race condition with requestPointerLock() and setTimeout() could have resulted in a user interacting with one tab when they believed they were on a separate tab. In conjunction with certain elements (such as <input type="file">) this could have led to an attack where a user was confused about the origin of the webpage and potentially disclosed information they did not intend to. This vulnerability affects Firefox < 88.
Credit: security@mozilla.org security@mozilla.org
Affected Software | Affected Version | How to fix |
---|---|---|
Mozilla Firefox | <88 | 88 |
<88 | 88 | |
Mozilla Firefox | <88.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Found alongside the following vulnerabilities)
CVE-2021-24000 is a vulnerability that could have resulted in a user interacting with one tab when they believed they were on a separate tab in Mozilla Firefox.
CVE-2021-24000 has a severity value of 3.1, which is considered medium.
CVE-2021-24000 could have been exploited through a race condition with requestPointerLock() and setTimeout() in conjunction with certain elements, such as <input type="file">.
Mozilla Firefox versions up to exclusive 88.0 are affected by CVE-2021-24000.
To mitigate CVE-2021-24000, users should update Mozilla Firefox to version 88.0 or later.