Mozilla Foundation Security Advisory 2016-08

Delay following click events in file download dialog too short on OS X

Announced
January 26, 2016
Reporter
Jordi Chancel
Impact
Moderate
Products
Firefox
Fixed in
  • Firefox 44

Description

Security researcher Jordi Chancel reported an issue on OS X where the delay between the download dialog getting focus and the button getting enabled was too short. If an attacker is able to induce the user to double-click in a specific location, they can then pass the second click through to the dialog below, leading to unintentional actions such as the running of downloaded software.

This issue only affects OS X installations. Windows, Linux, and Android installations are unaffected by it.

References