| 1313916
|
|
For a toplevel load where the authentication prompt is dismissed we don't unload the current page in some circumstances
|
Core
|
Networking: HTTP
|
nobody
|
UNCO
|
---
|
2024-05-30
|
| 1228719
|
|
Partial URL spoofing using javascript: URI scheme
|
Core
|
Networking
|
nobody
|
UNCO
|
---
|
2022-10-11
|
| 1272555
|
|
Shouldn't use alternate domain fixup when opening links except if using the URL bar
|
Firefox
|
General
|
nobody
|
UNCO
|
---
|
2022-10-11
|
| 1346123
|
|
Trapping the user in fullscreen by using modal search dialog alerts (and blocking F11)
|
Firefox
|
General
|
nobody
|
UNCO
|
---
|
2022-10-11
|
| 1675213
|
|
Thunderbird fails to show fake URL when hovering over URL text in scam email
|
Thunderbird
|
General
|
nobody
|
UNCO
|
---
|
2021-03-25
|
| 647010
|
|
Only present HTTP authentication dialogs if it is the top-level document initiating the auth
|
Core
|
Networking: HTTP
|
nobody
|
NEW
|
---
|
2023-05-04
|
| 1294413
|
|
Potential address bar spoof using @title (or spoofing a "browser" message) for form validation popup
|
Firefox
|
General
|
nobody
|
NEW
|
---
|
2022-10-11
|
| 1445198
|
|
Review panel usage spoofing in Firefox
|
Firefox
|
Security
|
nobody
|
NEW
|
---
|
2022-10-11
|
| 1481994
|
|
URL Spoofing by delaying a navigation and using the onbeforeunload dialog
|
Core
|
DOM: Navigation
|
nobody
|
NEW
|
---
|
2024-05-30
|
| 1598175
|
|
Potential origin spoofing because address bar truncates "facebook.com.evil.com" to "facebook.com..." instead of "...evil.com"
|
Firefox
|
Address Bar
|
nobody
|
NEW
|
---
|
2024-05-08
|
| 1670725
|
|
truncate URL bar from the front, preserve the important parts of the domain
|
Fenix
|
Toolbar
|
nobody
|
NEW
|
---
|
2024-05-30
|
| 1693755
|
|
Downloaded file extension unexpectedly changes to HTML when using "open with" and can execute code (based on content type sent by the server that doesn't match filename)
|
Firefox
|
File Handling
|
nobody
|
NEW
|
---
|
2024-05-30
|
| 1704346
|
|
Block prompt for http auth credentials for subresorces as much as we can
|
Core
|
Networking: HTTP
|
nobody
|
NEW
|
---
|
2024-05-30
|
| 1841246
|
|
Prompts for EME/DRM used from iframe's popup with allow-popups, allow-script and allow-same-origin shows toplevel origin instead of frame origin
|
Fenix
|
Media
|
nobody
|
NEW
|
---
|
2024-06-02
|
| 678994
|
|
onclick popups can be delayed by event-loop-spinning tricks
|
Core
|
DOM: Core & HTML
|
nobody
|
NEW
|
---
|
2022-10-10
|
| 753212
|
|
Javascript alert containing long words has missing vertical scroll bar, missing origin, and obstructing horizontal scroll bar
|
Toolkit
|
Content Prompts
|
nobody
|
NEW
|
---
|
2023-06-22
|
| 997914
|
|
IDN Blacklist missing unicode characters
|
Core
|
Networking
|
nobody
|
NEW
|
---
|
2022-10-11
|
| 1297476
|
|
certification authority display lags the certificate and authority replacement via proxy
|
Firefox
|
Site Identity
|
nobody
|
NEW
|
---
|
2022-10-11
|
| 1298584
|
|
Security: Partial Address Bar Spoofing in Firefox V51.0(Nightly)
|
Firefox
|
Address Bar
|
nobody
|
NEW
|
---
|
2022-10-11
|
| 1322022
|
|
Need test for location bar spoofing via drag and drop of broken javascript: URI
|
Firefox
|
Address Bar
|
nobody
|
NEW
|
---
|
2024-05-30
|
| 1323452
|
|
Consider whether to revert the URL bar straight after 'paste and go' usage
|
Firefox
|
Address Bar
|
nobody
|
NEW
|
---
|
2024-04-08
|
| 1349316
|
|
Include dotted forms from Latin Extended Additional unicode block for IDNA
|
Core
|
Networking
|
nobody
|
NEW
|
---
|
2023-07-05
|
| 1372322
|
|
if Anchor title attribute "looks like" a URL display href instead
|
Core
|
DOM: Core & HTML
|
nobody
|
NEW
|
---
|
2022-10-11
|
| 1445758
|
|
Focus does not show the top level domain +1 in the address bar
|
Focus
|
General
|
nobody
|
NEW
|
---
|
2023-01-26
|
| 1453448
|
|
Capture thumbnails with safe browsing always enabled
|
Firefox
|
New Tab Page
|
nobody
|
NEW
|
---
|
2023-10-30
|
| 1457080
|
|
Phishing risks with Firefox not always showing the origin (Linux and Android)
|
Toolkit
|
Alerts Service
|
nobody
|
NEW
|
---
|
2024-05-30
|
| 1463533
|
|
When a specially-crafted input text value containing a privileged URL scheme (eg: chrome: URL) of a prompt() dialog is dragged and dropped to the "home" icon, the home page can be changed by this privileged URL
|
Firefox
|
Toolbars and Customi
|
nobody
|
NEW
|
---
|
2024-05-30
|
| 1519518
|
|
(Bypassing Mozilla Firefox Data URL blocking)
|
Core
|
DOM: Security
|
nobody
|
NEW
|
---
|
2024-05-30
|
| 1620920
|
|
UI Spoofing: chrome.windows.create of WebExtensions can create a fullscreen window without a warning
|
WebExtensions
|
Frontend
|
nobody
|
NEW
|
---
|
2024-05-30
|
| 1629684
|
|
URL spoofing using 'very-long-hostname' URL
|
Firefox
|
Address Bar
|
nobody
|
NEW
|
---
|
2023-11-01
|
| 1631073
|
|
401 password prompt spoofing thing
|
Fenix
|
General
|
nobody
|
NEW
|
---
|
2023-07-24
|
| 1714565
|
|
Status bar URL spoofing without Javascript (using IDN whole-script confusables)
|
Core
|
DOM: Core & HTML
|
nobody
|
NEW
|
---
|
2024-05-30
|
| 1731181
|
|
Address bar, security windows show origin elided insecurely, allows URL spoofing
|
Focus
|
General
|
nobody
|
NEW
|
---
|
2023-06-05
|
| 1804305
|
|
It is possible to mimic swipe-to-nav with content using overscroll-behavior-x
|
Core
|
Panning and Zooming
|
nobody
|
NEW
|
---
|
2023-04-07
|
| 1830519
|
|
Iframe with sandbox not block HTTP authentication dialogs
|
Core
|
DOM: Core & HTML
|
nobody
|
NEW
|
---
|
2024-06-02
|
| 1835517
|
|
alt prompt can cover fullscreen notifications
|
Core
|
DOM: Core & HTML
|
nobody
|
NEW
|
---
|
2024-05-30
|
| 1868171
|
|
Excessive Input Form with scroll down can spoof hidden address bar
|
Fenix
|
Toolbar
|
nobody
|
NEW
|
---
|
2024-06-02
|
| 1888847
|
|
DevTools Storage inspector cookie table rendering issue/misalignment with tall characters
|
DevTools
|
Storage Inspector
|
nobody
|
NEW
|
---
|
2024-05-30
|
| 1230354
|
|
Executable planting / Drive-by cache vulnerability
|
Core
|
Networking: Cache
|
nobody
|
NEW
|
---
|
2024-05-30
|
| 1383402
|
|
Temporary addressbar spoof by copy/pasting url for slow/unreachable port into location bar
|
Firefox
|
Address Bar
|
nobody
|
NEW
|
---
|
2023-07-19
|
| 1656735
|
|
URL spoofing on Android with U+03XX (Combining Dots)
|
Fenix
|
Toolbar
|
nobody
|
NEW
|
---
|
2024-05-30
|
| 1889942
|
|
HTML Injection in resource:// scheme on Fenix error pages
|
Fenix
|
Browser Engine
|
nobody
|
NEW
|
---
|
2024-05-30
|
| 72374
|
|
different icons for bookmarklets and normal bookmarks
|
SeaMonkey
|
Bookmarks & History
|
nobody
|
NEW
|
---
|
2017-08-12
|
| 363132
|
|
By making Cut/Copy shortcut fail, a site can see your clipboard with little cooperation
|
Core
|
DOM: Editor
|
nobody
|
NEW
|
---
|
2022-10-10
|
| 363142
|
|
Replace delay in security dialogs with something else
|
Core
|
Security
|
nobody
|
NEW
|
---
|
2022-10-10
|
| 741050
|
|
Downloads initiated by other tabs are misleading
|
Firefox
|
File Handling
|
nobody
|
NEW
|
---
|
2024-05-29
|
| 774065
|
|
Replace bookmarklets with "user-script buttons"
|
Firefox
|
General
|
nobody
|
NEW
|
---
|
2022-10-10
|
| 801438
|
|
Fake site without URL while loading never finishes
|
Firefox
|
Security
|
nobody
|
NEW
|
---
|
2022-10-10
|
| 822215
|
|
iframe-to-iframe cross-domain extraction method (UI Redressing)
|
Core
|
DOM: Copy & Paste an
|
nobody
|
NEW
|
---
|
2022-11-28
|
| 845194
|
|
Cross-domain drag and drop across IFrames.
|
Core
|
DOM: Copy & Paste an
|
nobody
|
NEW
|
---
|
2022-11-28
|
| 918264
|
|
WINDOWS URL bar Spoofing when press F11 for go to full screen
|
Core
|
General
|
nobody
|
NEW
|
---
|
2024-05-30
|
| 971598
|
|
[meta] Mitigate "Self-XSS" social engineering attacks
|
Firefox
|
General
|
nobody
|
NEW
|
---
|
2022-10-11
|
| 1031060
|
|
drag and drop with a cursor in content is redirected to location bar
|
Core
|
Widget: Cocoa
|
nobody
|
NEW
|
---
|
2024-05-30
|
| 1140819
|
|
There is no obvious way to exit fullscreen on a tablet when the app doesn't do it
|
Core
|
DOM: Core & HTML
|
nobody
|
NEW
|
---
|
2022-10-11
|
| 1470673
|
|
HTML email hover over URL spoof
|
Thunderbird
|
Security
|
nobody
|
NEW
|
---
|
2022-10-11
|
| 1691251
|
|
Spoofing identity UI and hiding certificate details by forcing SSL connection to be presented as local resource
|
Firefox
|
Security
|
nobody
|
NEW
|
---
|
2024-05-30
|
| 1815640
|
|
History API should be banned in opaque origins
|
Core
|
DOM: Core & HTML
|
nobody
|
NEW
|
---
|
2024-05-30
|
| 1834605
|
|
Spoofing of URL bar on net error page
|
Firefox
|
Security
|
nobody
|
NEW
|
---
|
2024-05-30
|
| 1837916
|
|
Firefox for iOS QR Code Scanner does not show the URL for user confirmation before opening it
|
Firefox for iOS
|
General
|
nobody
|
NEW
|
---
|
Tue 14:24
|
| 1844642
|
|
Title for JS prompts from a data: iframe is the generic "This page says"; Chrome shows the containing origin instead
|
Core
|
DOM: Core & HTML
|
nobody
|
NEW
|
---
|
2024-05-30
|
| 1866907
|
|
IOS Address Bar Spoofing via q= paramter allows redirect user to macilious link & javascript url
|
Firefox for iOS
|
General
|
nobody
|
NEW
|
---
|
Wed 23:07
|
| 1895568
|
|
Modals cover complete Omnibox when using multi window android feature
|
Fenix
|
General
|
nobody
|
NEW
|
---
|
2024-06-04
|
| 980909
|
|
Contents of previous URL still showed & interactive while loading & showing another URL in the Location bar
|
Firefox
|
Address Bar
|
nobody
|
REOP
|
---
|
2022-10-11
|
| 1261073
|
|
Potentially malicious data URLs are not well highlighted for novice users
|
Firefox
|
Address Bar
|
nobody
|
REOP
|
---
|
2023-05-15
|
| 1332714
|
|
IDN Phishing using whole-script confusables on Windows and Linux
|
Firefox
|
Address Bar
|
nobody
|
REOP
|
---
|
2024-05-21
|
| 1543202
|
|
Keyboard shortcut highlights menu despite being consumed by web content
|
Core
|
Widget: Cocoa
|
nobody
|
REOP
|
---
|
2022-10-11
|
| 1196267
|
|
URL and error message spoofing in about:neterror
|
Core
|
DOM: Core & HTML
|
nobody
|
REOP
|
---
|
2024-05-30
|
| 1804816
|
|
Css Draw Mouse Cursor 32x32 (zoom out) to hide omni box
|
Core
|
DOM: CSS Object Mode
|
nobody
|
REOP
|
---
|
2024-05-30
|
