Mozilla Foundation Security Advisory 2008-40

Forced mouse drag

Announced

September 23, 2008

Reporter

Paul Nickerson, Liu Die Yu

Impact

Low

Products

Firefox, SeaMonkey

Fixed in

Firefox 2.0.0.17
Firefox 3.0.2
SeaMonkey 1.1.12

Description

Mozilla developer Paul Nickerson reported a variant of a click-hijacking vulnerability discovered in Internet Explorer by Liu Die Yu. The vulnerability allowed an attacker to move the content window while the mouse was being clicked, causing an item to be dragged rather than clicked-on. This issue could potentially be used to force a user to download a file or perform other drag-and-drop actions.

Workaround

open Options/Preferences dialog
go to the "Content" tab
click the "Advanced..." button on the same line as the "Enable JavaScript" checkbox
UN-check the "Move or resize existing windows" box.

References

https://bugzilla.mozilla.org/show_bug.cgi?id=329385
CVE-2008-3837

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Firefox Relay

MDN Plus

Fakespot

Mozilla Manifesto

Mozilla Foundation

Leadership

Get involved

Careers

Mozilla Blog

Impact

Firefox Developer Edition

MDN Web Docs

Mozilla Innovation Projects

Common Voice