Mozilla Firefox Vulnerability Allows Cross-Origin JavaScript Execution
CVE-2024-9394

7.5HIGH

Key Information:

Vendor: Mozilla
Status: Firefox; Firefox Esr; Thunderbird
Vendor: CVE Published:; 1 October 2024

Summary

A significant flaw has been identified in Mozilla Firefox and Thunderbird that allows an attacker to execute arbitrary JavaScript within the resource://devtools origin. Specifically, this vulnerability enables unauthorized access to cross-origin JSON content. On desktop clients, the Site Isolation feature restricts this access to 'same site' documents; however, on Android versions, attackers can achieve full cross-origin access, raising serious security concerns. Users are urged to update to the latest versions of Firefox and Thunderbird to mitigate associated risks.

Affected Version(s)

Firefox < 131

Firefox ESR < 128.3

Firefox ESR < 115.16

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1918874

https://www.mozilla.org/security/advisories/mfsa2024-46/

https://www.mozilla.org/security/advisories/mfsa2024-47/

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 1, 2024
Vulnerability Reserved
Oct 1, 2024

Credit

Masato Kinugawa