CVE-2022-22761 in Thunderbird
Summary
by MITRE • 12/22/2022
Web-accessible extension pages (pages with a moz-extension:// scheme) were not correctly enforcing the frame-ancestors directive when it was used in the Web Extension's Content Security Policy. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 06/11/2026
This vulnerability represents a critical security flaw in the content security policy implementation of mozilla web extensions, specifically affecting the frame-ancestors directive enforcement mechanism. The issue arises when web-accessible extension pages utilize the moz-extension:// scheme, which creates a unique security context that should properly isolate extension content from potentially malicious parent frames. The flaw occurs because the browser fails to correctly validate the frame-ancestors directive when it is included within the web extension's content security policy, allowing for potential clickjacking and cross-frame injection attacks.
The technical implementation of this vulnerability stems from the improper enforcement of browser security policies that should prevent web-accessible extension pages from being embedded within malicious frames. When a web extension defines a content security policy containing frame-ancestors directives, the browser should verify that the embedding context complies with these restrictions. However, in affected versions of firefox, thunderbird, and firefox esr, the frame-ancestors validation logic is bypassed for moz-extension:// scheme pages, effectively disabling the intended security protection. This creates a scenario where malicious websites could potentially embed extension pages within iframes, undermining the security boundaries that should exist between extension content and external web content.
The operational impact of this vulnerability is significant as it allows attackers to exploit the trust relationship between web extensions and their intended contexts. An attacker could craft malicious web pages that embed legitimate extension functionality within iframes, potentially leading to unauthorized access to extension APIs, data leakage, or manipulation of extension behavior. The vulnerability affects not only the browser itself but also the broader extension ecosystem, as it undermines the security assumptions that extension developers rely on when designing their web-accessible components. This creates a potential attack surface that could be exploited across all web extensions installed in affected browsers, particularly those with elevated permissions or access to sensitive user data.
The security implications extend beyond simple frame embedding and touch upon fundamental web security principles that are codified in standards such as cwe-1021, which addresses improper restriction of rendering of objects across domains, and aligns with att&ck technique t1211 for exploitation of web browsers. Organizations and users running affected versions should immediately update to patched releases, as the vulnerability provides attackers with a straightforward method to bypass content security policy protections that are fundamental to browser security. The fix implemented in newer versions ensures proper validation of frame-ancestors directives for moz-extension:// scheme pages, restoring the intended security boundaries that protect extension content from malicious embedding scenarios. This vulnerability serves as a reminder of the complexity involved in implementing secure cross-origin communication mechanisms and the critical importance of thorough security testing for browser extension frameworks.