【CVE-2016-1932】Web Notification Origin Spoof and FullScreen Display DOS on Firefox for Windows

Vulnerability Details:

Fixed on Firefox44.0

(1) In the notification dialog, no originates hints and warnings.The attacker can then display a malicious notification dialog to the user that seemingly originates from the trusted site. Typically this notification dialog would mimic the legitimate site. An attacker may exploit this vulnerability to spoof an interface of a trusted web site.

Origin Spoof Demo:http://xisigr.com/test/notification/1.html

 

(2)Web Notification will be fully displayed, resulting in full screen display notification dialog to denial of service attack.

FullScreen Display DOS Demo:http://xisigr.com/test/notification/2.html

References:

https://bugzilla.mozilla.org/show_bug.cgi?id=1220519

CREDIT:
This vulnerability was discovered by xisigr of Tencent’s Xuanwu LAB(http://www.tencent.com).
Email:xisigr@gmail.com

发表评论

电子邮件地址不会被公开。 必填项已用*标注