Firefox vulnerability allows attacker to determine if application is installed

CVE-2024-9398

5.3MEDIUM

Key Information

Vendor: Mozilla
Status: Firefox; Firefox Esr; Thunderbird
Vendor: CVE Published:; 1 October 2024

Summary

By checking the result of calls to window.open with specifically set protocol handlers, an attacker could determine if the application which implements that protocol handler is installed. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Thunderbird < 128.3, and Thunderbird < 131.

Affected Version(s)

Firefox < 131

Firefox ESR < 128.3

Thunderbird < 128.3

Refferences

https://bugzilla.mozilla.org/show_bug.cgi?id=1881037

https://www.mozilla.org/security/advisories/mfsa2024-46/

https://www.mozilla.org/security/advisories/mfsa2024-47/

https://www.mozilla.org/security/advisories/mfsa2024-49/

https://www.mozilla.org/security/advisories/mfsa2024-50/

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability Reserved
Oct 1, 2024
Vulnerability published
Oct 1, 2024

Collectors

NVD DatabaseMitre Database

Credit

Satoki Tsuji