From 6bc5983b866d7ca03d3c529e0bb8c17ad47afd4d Mon Sep 17 00:00:00 2001
From: Mark H Weaver <mhw@netris.org>
Date: Wed, 27 Nov 2024 06:37:09 -0500
Subject: Fix CVE-2024-11692.

* data/patches/CVE-2024-11692.patch: New file.
---
 data/patches/CVE-2024-11692.patch | 61 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 61 insertions(+)
 create mode 100644 data/patches/CVE-2024-11692.patch

diff --git a/data/patches/CVE-2024-11692.patch b/data/patches/CVE-2024-11692.patch
new file mode 100644
index 0000000..393fe5e
--- /dev/null
+++ b/data/patches/CVE-2024-11692.patch
@@ -0,0 +1,61 @@
+Fixes CVE-2024-11692 (Select list elements could be shown over another site)
+Based on <https://hg.mozilla.org/releases/mozilla-esr128/rev/a6cf1a7cd289db4f46cb34f4dd16cce133b25e8d>
+Adapted to ESR 115 by Mark H Weaver <mhw@netris.org>
+
+# HG changeset patch
+# User Edgar Chen <echen@mozilla.com>
+# Date 1730556179 0
+# Node ID a6cf1a7cd289db4f46cb34f4dd16cce133b25e8d
+# Parent  e983e8a66e515a2e32497cec1b3ccf439396dadc
+Bug 1909535 - Don't show select dropdown in background tabs;  a=dmeehan
+
+Original Revision: https://phabricator.services.mozilla.com/D225706
+
+Differential Revision: https://phabricator.services.mozilla.com/D227607
+
+diff --git a/toolkit/actors/SelectParent.sys.mjs b/toolkit/actors/SelectParent.sys.mjs
+--- a/toolkit/actors/SelectParent.sys.mjs
++++ b/toolkit/actors/SelectParent.sys.mjs
+@@ -273,16 +273,41 @@ export var SelectParentHelper = {
+     }
+ 
+     this._currentZoom = zoom;
+     this._currentMenulist = menulist;
+     this.populateChildren(menulist, items, uniqueItemStyles, selectedIndex);
+   },
+ 
+   open(browser, menulist, rect, isOpenedViaTouch, selectParentActor) {
++    const canOpen = (() => {
++      if (!menulist.ownerDocument.hasFocus()) {
++        // Don't open in inactive browser windows.
++        return false;
++      }
++      if (browser) {
++        if (!browser.browsingContext.isActive) {
++          // Don't open in inactive tabs.
++          return false;
++        }
++        let tabbrowser = browser.getTabBrowser();
++        if (tabbrowser && tabbrowser.selectedBrowser != browser) {
++          // AsyncTabSwitcher might delay activating our browser, check
++          // explicitly for tabbrowser.
++          return false;
++        }
++      }
++      return true;
++    })();
++
++    if (!canOpen) {
++      selectParentActor.sendAsyncMessage("Forms:DismissedDropDown", {});
++      return;
++    }
++
+     this._actor = selectParentActor;
+     menulist.hidden = false;
+     this._currentBrowser = browser;
+     this._closedWithEnter = false;
+     this._selectRect = rect;
+     this._registerListeners(menulist.menupopup);
+ 
+     // Set the maximum height to show exactly MAX_ROWS items.
+
-- 
cgit v1.2.3