CVE-2021-23984
6.5
MEDIUM
CVSS 3.1
EPSS 0.29%
Description
A malicious extension could have opened a popup window lacking an address bar. The title of the popup lacking an address bar should not be fully controllable, but in this situation was. This could have been used to spoof a website and attempt to trick the user into providing credentials. This vulnerability affects Firefox ESR < 78.9, Firefox < 87, and Thunderbird < 78.9.
How to fix CVE-2021-23984
To remediate CVE-2021-23984, upgrade the affected package to a fixed version below.
- —upgrade to 78.9.0esr-1 or later
- —upgrade to 1:78.9.0-1 or later
Is CVE-2021-23984 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 78.9.0esr-1
- from 0, < 1:78.9.0-1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N |