CVE-2021-43538: Race Condition
First published: Tue Dec 07 2021(Updated: )
By misusing a race in our notification code, an attacker could have forcefully hidden the notification for pages that had received full screen and pointer lock access, which could have been used for spoofing attacks.
Credit: security@mozilla.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Mozilla Thunderbird | <91.4 | 91.4 |
| <95 | 95 | |
| <91.4 | 91.4 | |
| <91.4 | 91.4 | |
| Mozilla Firefox | <95.0 | |
| Mozilla Firefox ESR | <91.4.0 | |
| Mozilla Thunderbird | <91.4.0 | |
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 | |
| Debian Debian Linux | =11.0 | |
| debian/firefox | 118.0.2-1 | |
| debian/firefox-esr | 91.12.0esr-1~deb10u1 115.3.1esr-1~deb10u1 102.15.0esr-1~deb11u1 115.3.1esr-1~deb11u1 102.15.1esr-1~deb12u1 115.3.0esr-1~deb12u1 115.3.0esr-1 115.4.0esr-1 | |
| debian/thunderbird | 1:91.12.0-1~deb10u1 1:115.3.1-1~deb10u1 1:102.13.1-1~deb11u1 1:115.3.1-1~deb11u1 1:102.15.1-1~deb12u1 1:115.3.1-1~deb12u1 1:115.3.1-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.mozilla.org/show_bug.cgi?id=1739091
- https://www.mozilla.org/en-US/security/advisories/mfsa2021-54/
- https://www.mozilla.org/en-US/security/advisories/mfsa2021-52/
- https://www.mozilla.org/en-US/security/advisories/mfsa2021-53/
- https://lists.debian.org/debian-lts-announce/2021/12/msg00030.html
- https://lists.debian.org/debian-lts-announce/2022/01/msg00001.html
- https://security.gentoo.org/glsa/202202-03
- https://security.gentoo.org/glsa/202208-14
- https://www.debian.org/security/2021/dsa-5026
- https://www.debian.org/security/2022/dsa-5034
- https://www.mozilla.org/security/advisories/mfsa2021-52/
- https://www.mozilla.org/security/advisories/mfsa2021-53/
- https://www.mozilla.org/security/advisories/mfsa2021-54/
- https://www.mozilla.org/en-US/security/advisories/mfsa2021-52/#CVE-2021-43538
- https://www.mozilla.org/en-US/security/advisories/mfsa2021-53/#CVE-2021-43538
- https://www.mozilla.org/en-US/security/advisories/mfsa2021-54/#CVE-2021-43538
- https://security-tracker.debian.org/tracker/CVE-2021-43538
Peer vulnerabilities
(Found alongside the following vulnerabilities)
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2021-43538.
Which software is affected by this vulnerability?
This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95.
How can an attacker exploit this vulnerability?
By misusing a race in the notification code, an attacker can forcefully hide the notification for pages that have received full screen and pointer lock access.
What are the potential consequences of this vulnerability?
This vulnerability could be used for spoofing attacks.
Where can I find more information about this vulnerability?
You can find more information about this vulnerability at the following links: [Mozilla Bugzilla](https://bugzilla.mozilla.org/show_bug.cgi?id=1739091), [Mozilla Security Advisory](https://www.mozilla.org/en-US/security/advisories/mfsa2021-54/), [Mozilla Security Advisory](https://www.mozilla.org/en-US/security/advisories/mfsa2021-52/).
- collector/mozilla-advisory
- collector/security-tracker-debian
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- agent/softwarecombine
- agent/author
- agent/severity
- agent/references
- agent/weakness
- source/Mozilla
- agent/software-canonical-lookup
- agent/event
- agent/software-canonical-lookup-request
- agent/description
- agent/tags
- collector/nvd-index
- collector/mitre-cve
- source/MITRE
- vendor/mozilla
- canonical/mozilla thunderbird
- package-manager/debian
- canonical/mozilla firefox esr
- canonical/mozilla firefox
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- version/debian debian linux/10.0
- version/debian debian linux/11.0