Mozilla Foundation Security Advisory 2014-50

Clickjacking through cursor invisibility after Flash interaction

Announced
June 10, 2014
Reporter
Jordi Chancel
Impact
High
Products
Firefox
Fixed in
  • Firefox 30

Description

Security researcher Jordi Chancel reported a mechanism where the cursor can be rendered invisible after it has been used on an embedded flash object when used outside of the object. This flaw can be in used in combination with an image of the cursor manipulated through JavaScript, leading to clickjacking during interactions with HTML content subsequently. This issue only affects OS X and is not present on Windows or Linux systems.

References