CVE-2024-9398
5.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
By checking the result of calls to window.open with specifically set protocol handlers, an attacker could determine if the application which implements that protocol handler is installed. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Thunderbird < 128.3, and Thunderbird < 131.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Mozilla | Firefox | unspecified < 131 | affected |
| Mozilla | Firefox ESR | unspecified < 128.3 | affected |
| Mozilla | Thunderbird | unspecified < 128.3 | affected |
| Mozilla | Thunderbird | unspecified < 131 | affected |
Weaknesses
- External protocol handlers could be enumerated via popups
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
- https://bugzilla.mozilla.org/show_bug.cgi?id=1881037
- https://www.mozilla.org/security/advisories/mfsa2024-46/
- https://www.mozilla.org/security/advisories/mfsa2024-47/
- https://www.mozilla.org/security/advisories/mfsa2024-49/
- https://www.mozilla.org/security/advisories/mfsa2024-50/
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.