{"api_version":"1","generated_at":"2026-04-23T00:40:34+00:00","cve":"CVE-2021-43538","urls":{"html":"https://cve.report/CVE-2021-43538","api":"https://cve.report/api/cve/CVE-2021-43538.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-43538","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-43538"},"summary":{"title":"CVE-2021-43538","description":"By misusing a race in our notification code, an attacker could have forcefully hidden the notification for pages that had received full screen and pointer lock access, which could have been used for spoofing attacks. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95.","state":"PUBLIC","assigner":"security@mozilla.org","published_at":"2021-12-08 22:15:00","updated_at":"2022-12-09 15:55:00"},"problem_types":["CWE-362"],"metrics":[],"references":[{"url":"https://www.debian.org/security/2021/dsa-5026","name":"DSA-5026","refsource":"DEBIAN","tags":[],"title":"Debian -- Security Information -- DSA-5026-1 firefox-esr","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.gentoo.org/glsa/202208-14","name":"GLSA-202208-14","refsource":"GENTOO","tags":[],"title":"Mozilla Thunderbird: Multiple Vulnerabilities (GLSA 202208-14) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.mozilla.org/security/advisories/mfsa2021-54/","name":"https://www.mozilla.org/security/advisories/mfsa2021-54/","refsource":"MISC","tags":[],"title":"Security Vulnerabilities fixed in Thunderbird 91.4.0 — Mozilla","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.gentoo.org/glsa/202202-03","name":"GLSA-202202-03","refsource":"GENTOO","tags":[],"title":"Mozilla Firefox: Multiple vulnerabilities (GLSA 202202-03) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.debian.org/security/2022/dsa-5034","name":"DSA-5034","refsource":"DEBIAN","tags":[],"title":"Debian -- Security Information -- DSA-5034-1 thunderbird","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.mozilla.org/security/advisories/mfsa2021-52/","name":"https://www.mozilla.org/security/advisories/mfsa2021-52/","refsource":"MISC","tags":[],"title":"Security Vulnerabilities fixed in Firefox 95 — Mozilla","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.mozilla.org/security/advisories/mfsa2021-53/","name":"https://www.mozilla.org/security/advisories/mfsa2021-53/","refsource":"MISC","tags":[],"title":"Security Vulnerabilities fixed in Firefox ESR 91.4.0 — Mozilla","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.debian.org/debian-lts-announce/2021/12/msg00030.html","name":"[debian-lts-announce] 20211229 [SECURITY] [DLA 2863-1] firefox-esr security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 2863-1] firefox-esr security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.debian.org/debian-lts-announce/2022/01/msg00001.html","name":"[debian-lts-announce] 20220104 [SECURITY] [DLA 2874-1] thunderbird security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 2874-1] thunderbird security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1739091","name":"https://bugzilla.mozilla.org/show_bug.cgi?id=1739091","refsource":"MISC","tags":[],"title":"Access Denied","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-43538","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-43538","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"43538","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"10.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"43538","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"11.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"43538","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"9.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"43538","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"43538","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox_esr","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"43538","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"thunderbird","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-43538","qid":"159547","title":"Oracle Enterprise Linux Security Update for firefox (ELSA-2021-5013)"},{"cve":"CVE-2021-43538","qid":"159548","title":"Oracle Enterprise Linux Security Update for firefox (ELSA-2021-5014)"},{"cve":"CVE-2021-43538","qid":"159549","title":"Oracle Enterprise Linux Security Update for thunderbird (ELSA-2021-5045)"},{"cve":"CVE-2021-43538","qid":"159550","title":"Oracle Enterprise Linux Security Update for thunderbird (ELSA-2021-5046)"},{"cve":"CVE-2021-43538","qid":"178948","title":"Debian Security Update for firefox-esr (DSA 5026-1)"},{"cve":"CVE-2021-43538","qid":"178970","title":"Debian Security Update for firefox-esr (DLA 2863-1)"},{"cve":"CVE-2021-43538","qid":"178983","title":"Debian Security Update for thunderbird (DSA 5034-1)"},{"cve":"CVE-2021-43538","qid":"178986","title":"Debian Security Update for thunderbird (DLA 2874-1)"},{"cve":"CVE-2021-43538","qid":"180444","title":"Debian Security Update for firefox-esr (CVE-2021-43538)"},{"cve":"CVE-2021-43538","qid":"198601","title":"Ubuntu Security Notification for Firefox Vulnerabilities (USN-5186-1)"},{"cve":"CVE-2021-43538","qid":"198641","title":"Ubuntu Security Notification for Thunderbird Vulnerabilities (USN-5248-1)"},{"cve":"CVE-2021-43538","qid":"198643","title":"Ubuntu Security Notification for Thunderbird Vulnerabilities (USN-5246-1)"},{"cve":"CVE-2021-43538","qid":"239932","title":"Red Hat Update for firefox (RHSA-2021:5014)"},{"cve":"CVE-2021-43538","qid":"239933","title":"Red Hat Update for firefox (RHSA-2021:5016)"},{"cve":"CVE-2021-43538","qid":"239934","title":"Red Hat Update for firefox (RHSA-2021:5015)"},{"cve":"CVE-2021-43538","qid":"239936","title":"Red Hat Update for firefox (RHSA-2021:5013)"},{"cve":"CVE-2021-43538","qid":"239938","title":"Red Hat Update for thunderbird (RHSA-2021:5046)"},{"cve":"CVE-2021-43538","qid":"239939","title":"Red Hat Update for thunderbird (RHSA-2021:5048)"},{"cve":"CVE-2021-43538","qid":"239940","title":"Red Hat Update for thunderbird (RHSA-2021:5045)"},{"cve":"CVE-2021-43538","qid":"239941","title":"Red Hat Update for thunderbird (RHSA-2021:5047)"},{"cve":"CVE-2021-43538","qid":"257137","title":"CentOS Security Update for firefox (CESA-2021:5014)"},{"cve":"CVE-2021-43538","qid":"376143","title":"Mozilla Firefox Multiple Vulnerabilities (MFSA2021-52)"},{"cve":"CVE-2021-43538","qid":"376144","title":"Mozilla Thunderbird Multiple Vulnerabilities (MFSA2021-54)"},{"cve":"CVE-2021-43538","qid":"376145","title":"Mozilla Firefox ESR Multiple Vulnerabilities (MFSA2021-53)"},{"cve":"CVE-2021-43538","qid":"502071","title":"Alpine Linux Security Update for firefox-esr"},{"cve":"CVE-2021-43538","qid":"502382","title":"Alpine Linux Security Update for thunderbird"},{"cve":"CVE-2021-43538","qid":"502687","title":"Alpine Linux Security Update for firefox"},{"cve":"CVE-2021-43538","qid":"505449","title":"Alpine Linux Security Update for thunderbird"},{"cve":"CVE-2021-43538","qid":"710574","title":"Gentoo Linux Mozilla Firefox Multiple Vulnerabilities (GLSA 202202-03)"},{"cve":"CVE-2021-43538","qid":"710585","title":"Gentoo Linux Mozilla Thunderbird Multiple Vulnerabilities (GLSA 202208-14)"},{"cve":"CVE-2021-43538","qid":"751479","title":"SUSE Enterprise Linux Security Update for MozillaFirefox (SUSE-SU-2021:3995-1)"},{"cve":"CVE-2021-43538","qid":"751480","title":"SUSE Enterprise Linux Security Update for MozillaFirefox (SUSE-SU-2021:4000-1)"},{"cve":"CVE-2021-43538","qid":"751510","title":"OpenSUSE Security Update for MozillaFirefox (openSUSE-SU-2021:1575-1)"},{"cve":"CVE-2021-43538","qid":"751515","title":"OpenSUSE Security Update for MozillaFirefox (openSUSE-SU-2021:3993-1)"},{"cve":"CVE-2021-43538","qid":"751542","title":"OpenSUSE Security Update for MozillaThunderbird (openSUSE-SU-2021:4150-1)"},{"cve":"CVE-2021-43538","qid":"751566","title":"OpenSUSE Security Update for MozillaThunderbird (openSUSE-SU-2021:1635-1)"},{"cve":"CVE-2021-43538","qid":"940263","title":"AlmaLinux Security Update for firefox (ALSA-2021:5013)"},{"cve":"CVE-2021-43538","qid":"940397","title":"AlmaLinux Security Update for thunderbird (ALSA-2021:5045)"},{"cve":"CVE-2021-43538","qid":"960845","title":"Rocky Linux Security Update for firefox (RLSA-2021:5013)"},{"cve":"CVE-2021-43538","qid":"960881","title":"Rocky Linux Security Update for thunderbird (RLSA-2021:5045)"}]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2021-43538","ASSIGNER":"security@mozilla.org","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Mozilla","product":{"product_data":[{"product_name":"Thunderbird","version":{"version_data":[{"version_value":"91.4.0","version_affected":"<"}]}},{"product_name":"Firefox ESR","version":{"version_data":[{"version_value":"91.4.0","version_affected":"<"}]}},{"product_name":"Firefox","version":{"version_data":[{"version_value":"95","version_affected":"<"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Missing fullscreen and pointer lock notification when requesting both"}]}]},"references":{"reference_data":[{"url":"https://www.mozilla.org/security/advisories/mfsa2021-53/","refsource":"MISC","name":"https://www.mozilla.org/security/advisories/mfsa2021-53/"},{"url":"https://www.mozilla.org/security/advisories/mfsa2021-54/","refsource":"MISC","name":"https://www.mozilla.org/security/advisories/mfsa2021-54/"},{"url":"https://www.mozilla.org/security/advisories/mfsa2021-52/","refsource":"MISC","name":"https://www.mozilla.org/security/advisories/mfsa2021-52/"},{"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1739091","refsource":"MISC","name":"https://bugzilla.mozilla.org/show_bug.cgi?id=1739091"},{"refsource":"DEBIAN","name":"DSA-5026","url":"https://www.debian.org/security/2021/dsa-5026"},{"refsource":"MLIST","name":"[debian-lts-announce] 20211229 [SECURITY] [DLA 2863-1] firefox-esr security update","url":"https://lists.debian.org/debian-lts-announce/2021/12/msg00030.html"},{"refsource":"DEBIAN","name":"DSA-5034","url":"https://www.debian.org/security/2022/dsa-5034"},{"refsource":"MLIST","name":"[debian-lts-announce] 20220104 [SECURITY] [DLA 2874-1] thunderbird security update","url":"https://lists.debian.org/debian-lts-announce/2022/01/msg00001.html"},{"refsource":"GENTOO","name":"GLSA-202202-03","url":"https://security.gentoo.org/glsa/202202-03"},{"refsource":"GENTOO","name":"GLSA-202208-14","url":"https://security.gentoo.org/glsa/202208-14"}]},"description":{"description_data":[{"lang":"eng","value":"By misusing a race in our notification code, an attacker could have forcefully hidden the notification for pages that had received full screen and pointer lock access, which could have been used for spoofing attacks. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95."}]}},"nvd":{"publishedDate":"2021-12-08 22:15:00","lastModifiedDate":"2022-12-09 15:55:00","problem_types":["CWE-362"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":4.3,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":1.4},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":4.3},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*","versionEndExcluding":"91.4.0","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*","versionEndExcluding":"91.4.0","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*","versionEndExcluding":"95.0","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"43538","Ordinal":"220605","Title":"CVE-2021-43538","CVE":"CVE-2021-43538","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"43538","Ordinal":"1","NoteData":"** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.","Type":"Description","Title":null}]}}}