A race condition with requestPointerLock() and setTimeout() could have resulted in a user interacting with one tab when they believed they were on a separate tab. In conjunction with certain elements (such as <input type="file">) this could have led to an attack where a user was confused about the origin of the webpage and potentially disclosed information they did not intend to. This vulnerability affects Firefox < 88.

Related CVEs

CVE-2021-24000

Key Information

GHSA ID

GHSA-5fpx-ww3h-p9hw

Published

May 24, 2022 7:06 PM

Last Modified

August 8, 2023 3:31 PM

CVSS Score

2.5 /10

Primary Ecosystem

Unknown

Primary Package

Unknown

GitHub Reviewed

✗ No

Dataset

Last updated: September 13, 2025 6:30 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.