← back
CVE-2022-45418

CVE-2022-45418

CVSS 6.1 MEDIUMEPSS 0.7%CWE-1021
In short

A custom mouse cursor defined in CSS could appear on top of browser controls, potentially tricking users into clicking the wrong buttons or thinking they're interacting with legitimate interface elements.

Technical detail

CWE-1021 (Improper Restriction of Rendered UI Layers or Frames) allows malicious web pages to render custom CSS cursors that overlay browser UI elements, creating a spoofing vector. The vulnerability requires user interaction with the spoofed UI area and affects Firefox/Thunderbird versions prior to specified patches, with medium severity due to reliance on user confusion for successful attack.

Summary generated and translated by AI from the official description.
If a custom mouse cursor is specified in CSS, under certain circumstances the cursor could have been drawn over the browser UI, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Affected products
Mozilla · FirefoxMozilla · Firefox ESRMozilla · Thunderbird

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://bugzilla.mozilla.org/show_bug.cgi?id=1795815https://www.mozilla.org/security/advisories/mfsa2022-47/https://www.mozilla.org/security/advisories/mfsa2022-48/https://www.mozilla.org/security/advisories/mfsa2022-49/