CVE-2020-26953

It was possible to cause the browser to enter fullscreen mode without displaying the security UI; thus making it possible to attempt a phishing attack or otherwise confuse the user. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5.

Weakness

The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with.

Affected Software

Name	Vendor	Start Version	End Version
Firefox	Mozilla	*	83.0 (excluding)
Firefox_esr	Mozilla	*	78.5 (excluding)
Thunderbird	Mozilla	*	78.5 (excluding)
Red Hat Enterprise Linux 6	RedHat	thunderbird-0:78.5.0-1.el6_10	*
Red Hat Enterprise Linux 6	RedHat	firefox-0:78.5.0-1.el6_10	*
Red Hat Enterprise Linux 7	RedHat	thunderbird-0:78.5.0-1.el7_9	*
Red Hat Enterprise Linux 7	RedHat	firefox-0:78.5.0-1.el7_9	*
Red Hat Enterprise Linux 8	RedHat	thunderbird-0:78.5.0-1.el8_3	*
Red Hat Enterprise Linux 8	RedHat	firefox-0:78.5.0-1.el8_3	*
Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions	RedHat	thunderbird-0:78.5.0-1.el8_0	*
Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions	RedHat	firefox-0:78.5.0-1.el8_0	*
Red Hat Enterprise Linux 8.1 Extended Update Support	RedHat	thunderbird-0:78.5.0-1.el8_1	*
Red Hat Enterprise Linux 8.1 Extended Update Support	RedHat	firefox-0:78.5.0-1.el8_1	*
Red Hat Enterprise Linux 8.2 Extended Update Support	RedHat	thunderbird-0:78.5.0-1.el8_2	*
Red Hat Enterprise Linux 8.2 Extended Update Support	RedHat	firefox-0:78.5.0-1.el8_2	*
Firefox	Ubuntu	bionic	*
Firefox	Ubuntu	devel	*
Firefox	Ubuntu	focal	*
Firefox	Ubuntu	groovy	*
Firefox	Ubuntu	hirsute	*
Firefox	Ubuntu	impish	*
Firefox	Ubuntu	jammy	*
Firefox	Ubuntu	kinetic	*
Firefox	Ubuntu	lunar	*
Firefox	Ubuntu	mantic	*
Firefox	Ubuntu	noble	*
Firefox	Ubuntu	trusty	*
Firefox	Ubuntu	upstream	*
Firefox	Ubuntu	xenial	*
Mozjs38	Ubuntu	bionic	*
Mozjs38	Ubuntu	esm-apps/bionic	*
Mozjs38	Ubuntu	upstream	*
Mozjs52	Ubuntu	bionic	*
Mozjs52	Ubuntu	esm-apps/focal	*
Mozjs52	Ubuntu	esm-infra/bionic	*
Mozjs52	Ubuntu	focal	*
Mozjs52	Ubuntu	groovy	*
Mozjs52	Ubuntu	upstream	*
Mozjs60	Ubuntu	upstream	*
Mozjs68	Ubuntu	focal	*
Mozjs68	Ubuntu	groovy	*
Mozjs68	Ubuntu	upstream	*
Thunderbird	Ubuntu	bionic	*
Thunderbird	Ubuntu	devel	*
Thunderbird	Ubuntu	focal	*
Thunderbird	Ubuntu	groovy	*
Thunderbird	Ubuntu	hirsute	*
Thunderbird	Ubuntu	impish	*
Thunderbird	Ubuntu	jammy	*
Thunderbird	Ubuntu	kinetic	*
Thunderbird	Ubuntu	lunar	*
Thunderbird	Ubuntu	mantic	*
Thunderbird	Ubuntu	noble	*
Thunderbird	Ubuntu	trusty	*
Thunderbird	Ubuntu	upstream	*
Thunderbird	Ubuntu	xenial	*

Potential Mitigations

The use of X-Frame-Options allows developers of web content to restrict the usage of their application within the form of overlays, frames, or iFrames. The developer can indicate from which domains can frame the content.
The concept of X-Frame-Options is well documented, but implementation of this protection mechanism is in development to cover gaps. There is a need for allowing frames from multiple domains.
A developer can use a “frame-breaker” script in each page that should not be framed. This is very helpful for legacy browsers that do not support X-Frame-Options security feature previously mentioned.
It is also important to note that this tactic has been circumvented or bypassed. Improper usage of frames can persist in the web application through nested frames. The “frame-breaking” script does not intuitively account for multiple nested frames that can be presented to the user.

NVD	https://nvd.nist.gov/vuln/detail/CVE-2020-26953
CWE	https://cwe.mitre.org/data/definitions/1021.html

Improper Restriction of Rendered UI Layers or Frames

Weakness

Affected Software

Potential Mitigations

References

CVE-2020-26953

Improper Restriction of Rendered UI Layers or Frames

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References