CVE-2021-29987

After requesting multiple permissions, and closing the first permission panel, subsequent permission panels will be displayed in a different position but still record a click in the default location, making it possible to trick a user into accepting a permission they did not want to. This bug only affects Firefox on Linux. Other operating systems are unaffected.. This vulnerability affects Firefox < 91 and Thunderbird < 91.

Weakness

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.

Affected Software

Potential Mitigations

• Common protection mechanisms include:

• Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].

• Consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator. [REF-45]

Related Attack Patterns

• https://cwe.mitre.org/data/definitions/16.html
• https://cwe.mitre.org/data/definitions/49.html
• https://cwe.mitre.org/data/definitions/560.html
• https://cwe.mitre.org/data/definitions/565.html
• https://cwe.mitre.org/data/definitions/600.html
• https://cwe.mitre.org/data/definitions/652.html
• https://cwe.mitre.org/data/definitions/653.html

References

• https://bugzilla.mozilla.org/show_bug.cgi?id=1716129
• https://security.gentoo.org/glsa/202202-03
• https://www.mozilla.org/security/advisories/mfsa2021-33/
• https://www.mozilla.org/security/advisories/mfsa2021-36/
• https://bugzilla.mozilla.org/show_bug.cgi?id=1716129
• https://security.gentoo.org/glsa/202202-03
• https://www.mozilla.org/security/advisories/mfsa2021-33/
• https://www.mozilla.org/security/advisories/mfsa2021-36/