Vulnerability Details:

Fixed on Firefox44.0

(1) In the notification dialog, no originates hints and warnings.The attacker can then display a malicious notification dialog to the user that seemingly originates from the trusted site. Typically this notification dialog would mimic the legitimate site. An attacker may exploit this vulnerability to spoof an interface of a trusted web site.

Origin Spoof Demo:


(2)Web Notification will be fully displayed, resulting in full screen display notification dialog to denial of service attack.

FullScreen Display DOS Demo:


This vulnerability was discovered by xisigr of Tencent’s Xuanwu LAB(