Endpoint Vulnerability

Entering fullscreen and persistent pointerlock without user permission

Description

Security researcher sushi Anton Larsson reported that when paired fullscreen and pointerlock requests are done in combination with closing windows, a pointerlock can be created within a fullscreen window without user permission. This pointerlock cannot then be cancelled without terminating the browser, resulting in a persistent denial of service attack. This can also be used for spoofing and clickjacking attacks against the browser UI.

Affected Products

Firefox,Firefox ESR

References

CVE-2016-2831,