CVE-2023-6867

The timing of a button click causing a popup to disappear was approximately the same length as the anti-clickjacking delay on permission prompts. It was possible to use this fact to surprise users by luring them to click where the permission grant button would be about to appear. This vulnerability affects Firefox ESR < 115.6 and Firefox < 121.

Weakness

The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with.

Affected Software

Name	Vendor	Start Version	End Version
Firefox	Mozilla	*	121.0 (excluding)
Firefox_esr	Mozilla	*	115.6 (excluding)
Red Hat Enterprise Linux 7	RedHat	firefox-0:115.6.0-1.el7_9	*
Red Hat Enterprise Linux 8	RedHat	firefox-0:115.6.0-1.el8_9	*
Red Hat Enterprise Linux 8.2 Advanced Update Support	RedHat	firefox-0:115.6.0-1.el8_2	*
Red Hat Enterprise Linux 8.2 Telecommunications Update Service	RedHat	firefox-0:115.6.0-1.el8_2	*
Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions	RedHat	firefox-0:115.6.0-1.el8_2	*
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support	RedHat	firefox-0:115.6.0-1.el8_4	*
Red Hat Enterprise Linux 8.4 Telecommunications Update Service	RedHat	firefox-0:115.6.0-1.el8_4	*
Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions	RedHat	firefox-0:115.6.0-1.el8_4	*
Red Hat Enterprise Linux 8.6 Extended Update Support	RedHat	firefox-0:115.6.0-1.el8_6	*
Red Hat Enterprise Linux 8.8 Extended Update Support	RedHat	firefox-0:115.6.0-1.el8_8	*
Red Hat Enterprise Linux 9	RedHat	firefox-0:115.6.0-1.el9_3	*
Red Hat Enterprise Linux 9.0 Extended Update Support	RedHat	firefox-0:115.6.0-1.el9_0	*
Red Hat Enterprise Linux 9.2 Extended Update Support	RedHat	firefox-0:115.6.0-1.el9_2	*
Firefox	Ubuntu	bionic	*
Firefox	Ubuntu	focal	*
Firefox	Ubuntu	lunar	*
Firefox	Ubuntu	trusty	*
Firefox	Ubuntu	xenial	*
Mozjs102	Ubuntu	devel	*
Mozjs102	Ubuntu	esm-apps/noble	*
Mozjs102	Ubuntu	jammy	*
Mozjs102	Ubuntu	lunar	*
Mozjs102	Ubuntu	mantic	*
Mozjs102	Ubuntu	noble	*
Mozjs102	Ubuntu	upstream	*
Mozjs38	Ubuntu	bionic	*
Mozjs38	Ubuntu	esm-apps/bionic	*
Mozjs38	Ubuntu	upstream	*
Mozjs52	Ubuntu	bionic	*
Mozjs52	Ubuntu	esm-apps/focal	*
Mozjs52	Ubuntu	esm-infra/bionic	*
Mozjs52	Ubuntu	focal	*
Mozjs52	Ubuntu	upstream	*
Mozjs68	Ubuntu	focal	*
Mozjs68	Ubuntu	upstream	*
Mozjs78	Ubuntu	esm-apps/jammy	*
Mozjs78	Ubuntu	jammy	*
Mozjs78	Ubuntu	lunar	*
Mozjs78	Ubuntu	upstream	*
Mozjs91	Ubuntu	jammy	*
Mozjs91	Ubuntu	upstream	*
Thunderbird	Ubuntu	bionic	*
Thunderbird	Ubuntu	lunar	*
Thunderbird	Ubuntu	trusty	*
Thunderbird	Ubuntu	xenial	*

Potential Mitigations

The use of X-Frame-Options allows developers of web content to restrict the usage of their application within the form of overlays, frames, or iFrames. The developer can indicate from which domains can frame the content.
The concept of X-Frame-Options is well documented, but implementation of this protection mechanism is in development to cover gaps. There is a need for allowing frames from multiple domains.
A developer can use a “frame-breaker” script in each page that should not be framed. This is very helpful for legacy browsers that do not support X-Frame-Options security feature previously mentioned.
It is also important to note that this tactic has been circumvented or bypassed. Improper usage of frames can persist in the web application through nested frames. The “frame-breaking” script does not intuitively account for multiple nested frames that can be presented to the user.

NVD	https://nvd.nist.gov/vuln/detail/CVE-2023-6867
CWE	https://cwe.mitre.org/data/definitions/1021.html

Improper Restriction of Rendered UI Layers or Frames

Weakness

Affected Software

Potential Mitigations

References

CVE-2023-6867

Improper Restriction of Rendered UI Layers or Frames

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References