CVE-2024-9398

Summary

By checking the result of calls to window.open with specifically set protocol handlers, an attacker could determine if the application which implements that protocol handler is installed. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Thunderbird < 128.3, and Thunderbird < 131.

Affected Software

VendorProductVersion RangeStatus
MozillaFirefoxunspecified < 131affected
MozillaFirefox ESRunspecified < 128.3affected
MozillaThunderbirdunspecified < 128.3affected
MozillaThunderbirdunspecified < 131affected

Weaknesses

  • External protocol handlers could be enumerated via popups

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References