By misusing a race in our notification code, an attacker could have forcefully hidden the notification for pages that had received full screen and pointer lock access, which could have been used for spoofing attacks. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95.
References
| Link | Resource |
|---|---|
| https://bugzilla.mozilla.org/show_bug.cgi?id=1739091 | Issue Tracking Permissions Required Vendor Advisory |
| https://lists.debian.org/debian-lts-announce/2021/12/msg00030.html | Mailing List Third Party Advisory |
| https://lists.debian.org/debian-lts-announce/2022/01/msg00001.html | Mailing List Third Party Advisory |
| https://security.gentoo.org/glsa/202202-03 | Third Party Advisory |
| https://security.gentoo.org/glsa/202208-14 | Third Party Advisory |
| https://www.debian.org/security/2021/dsa-5026 | Third Party Advisory |
| https://www.debian.org/security/2022/dsa-5034 | Third Party Advisory |
| https://www.mozilla.org/security/advisories/mfsa2021-52/ | Vendor Advisory |
| https://www.mozilla.org/security/advisories/mfsa2021-53/ | Vendor Advisory |
| https://www.mozilla.org/security/advisories/mfsa2021-54/ | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
History
No history.
Information
Published : 2021-12-08 22:15
Updated : 2022-12-09 15:55
NVD link : CVE-2021-43538
Mitre link : CVE-2021-43538
CVE.ORG link : CVE-2021-43538
JSON object : View
Products Affected
debian
- debian_linux
mozilla
- thunderbird
- firefox
- firefox_esr
CWE
CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')