CVE-2023-6206
First published: Tue Nov 21 2023(Updated: )
The black fade animation when exiting fullscreen is roughly the length of the anti-clickjacking delay on permission prompts. It was possible to use this fact to surprise users by luring them to click where the permission grant button would be about to appear. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.
Credit: security@mozilla.org security@mozilla.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/firefox | <115.5 | 115.5 |
| redhat/thunderbird | <115.5 | 115.5 |
| ubuntu/firefox | <120.0+ | 120.0+ |
| ubuntu/thunderbird | <1:115.5.0+ | 1:115.5.0+ |
| ubuntu/thunderbird | <1:115.5.0+ | 1:115.5.0+ |
| ubuntu/thunderbird | <1:115.5.0+ | 1:115.5.0+ |
| ubuntu/thunderbird | <1:115.5.0+ | 1:115.5.0+ |
| Mozilla Thunderbird | <115.5 | 115.5 |
| Mozilla Firefox ESR | <115.5 | 115.5 |
| Mozilla Firefox | <120 | 120 |
| Mozilla Firefox | <120.0 | |
| Mozilla Firefox ESR | <115.5.0 | |
| Mozilla Thunderbird | <115.5 | |
| Debian Debian Linux | =10.0 | |
| Debian Debian Linux | =11.0 | |
| Debian Debian Linux | =12.0 | |
| debian/firefox | 123.0-1 | |
| debian/firefox-esr | <=91.12.0esr-1~deb10u1 | 115.8.0esr-1~deb10u1 115.7.0esr-1~deb11u1 115.8.0esr-1~deb11u1 115.7.0esr-1~deb12u1 115.8.0esr-1~deb12u1 115.8.0esr-1 |
| debian/thunderbird | <=1:91.12.0-1~deb10u1 | 1:115.8.0-1~deb10u1 1:115.7.0-1~deb11u1 1:115.8.0-1~deb11u1 1:115.7.0-1~deb12u1 1:115.8.0-1~deb12u1 1:115.7.0-1 1:115.8.1-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.mozilla.org/show_bug.cgi?id=1857430
- https://www.mozilla.org/security/advisories/mfsa2023-49/
- https://www.mozilla.org/security/advisories/mfsa2023-50/
- https://www.mozilla.org/security/advisories/mfsa2023-52/
- https://www.debian.org/security/2023/dsa-5561
- https://lists.debian.org/debian-lts-announce/2023/11/msg00017.html
- https://lists.debian.org/debian-lts-announce/2023/11/msg00030.html
- https://launchpad.net/bugs/cve/CVE-2023-6206
- https://www.mozilla.org/en-US/security/advisories/mfsa2023-49/
- https://www.mozilla.org/en-US/security/advisories/mfsa2023-50/
- https://www.mozilla.org/en-US/security/advisories/mfsa2023-52/
- https://www.mozilla.org/en-US/security/advisories/mfsa2023-50/#CVE-2023-6206
- https://access.redhat.com/errata/RHSA-2023:7499
- https://access.redhat.com/errata/RHSA-2023:7502
- https://access.redhat.com/errata/RHSA-2023:7500
- https://access.redhat.com/errata/RHSA-2023:7501
- https://access.redhat.com/errata/RHSA-2023:7504
- https://access.redhat.com/errata/RHSA-2023:7503
- https://access.redhat.com/errata/RHSA-2023:7506
- https://access.redhat.com/errata/RHSA-2023:7510
- https://access.redhat.com/errata/RHSA-2023:7507
- https://access.redhat.com/errata/RHSA-2023:7511
- https://access.redhat.com/errata/RHSA-2023:7508
- https://access.redhat.com/errata/RHSA-2023:7505
- https://access.redhat.com/errata/RHSA-2023:7509
- https://access.redhat.com/errata/RHSA-2023:7512
- https://access.redhat.com/errata/RHSA-2023:7547
- https://access.redhat.com/errata/RHSA-2023:7569
- https://access.redhat.com/errata/RHSA-2023:7570
- https://access.redhat.com/errata/RHSA-2023:7573
- https://access.redhat.com/errata/RHSA-2023:7574
- https://access.redhat.com/errata/RHSA-2023:7577
- https://bugzilla.redhat.com/show_bug.cgi?id=2250898
- https://www.mozilla.org/en-US/security/advisories/mfsa2023-49/#CVE-2023-6206
- https://www.mozilla.org/en-US/security/advisories/mfsa2023-52/#CVE-2023-6206
- https://security-tracker.debian.org/tracker/CVE-2023-6206
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6206
- https://ubuntu.com/security/notices/USN-6509-1
- https://ubuntu.com/security/notices/USN-6515-1
- https://nvd.nist.gov/vuln/detail/CVE-2023-6206
- https://ubuntu.com/security/CVE-2023-6206
Parent vulnerabilities
(Appears in the following advisories)
Peer vulnerabilities
(Found alongside the following vulnerabilities)
Frequently Asked Questions
What is CVE-2023-6206?
CVE-2023-6206 is a vulnerability in Mozilla Firefox and Thunderbird that allows for a clickjacking attack by manipulating the timing of the exit fullscreen black fade animation.
How does CVE-2023-6206 affect Firefox and Thunderbird?
CVE-2023-6206 affects Firefox versions up to and including 115.5 and Thunderbird versions up to and including 115.5.
What is the severity of CVE-2023-6206?
CVE-2023-6206 has a severity level of high with a severity value of 7.
How can the CVE-2023-6206 vulnerability be exploited?
The vulnerability can be exploited by luring users to click in the area where permission grant buttons would appear after the exit fullscreen animation.
What is the remedy for CVE-2023-6206?
The remedy for CVE-2023-6206 is to upgrade to Firefox version 120 or later.
- collector/mitre-cve
- agent/author
- agent/type
- collector/launchpad-cve
- source/Launchpad
- agent/first-publish-date
- agent/last-modified-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-6206
- agent/software-canonical-lookup
- agent/weakness
- agent/references
- agent/severity
- agent/description
- collector/usn-cve
- source/Ubuntu
- collector/mozilla-advisory
- source/Mozilla
- agent/event
- collector/epss-latest
- source/FIRST
- agent/epss
- agent/softwarecombine
- agent/software-canonical-lookup-request
- collector/nvd-api
- collector/nvd-cve
- source/NVD
- agent/tags
- collector/security-tracker-debian
- source/Debian
- package-manager/redhat
- package-manager/ubuntu
- vendor/mozilla
- canonical/mozilla thunderbird
- canonical/mozilla firefox esr
- canonical/mozilla firefox
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/10.0
- version/debian debian linux/11.0
- version/debian debian linux/12.0
- package-manager/debian