The `fetch()` API and navigation incorrectly shared the same cache, as the cache key did not include the optional headers `fetch()` may contain. Under the correct circumstances, an attacker may have been able to poison the local browser cache by priming it with a `fetch()` response controlled by the additional headers. Upon navigation to the same URL, the user would see the cached response instead of the expected response. This vulnerability affects Firefox < 123.
The cache key did not account for optional headers that a fetch() request could contain. Because of this, an attacker could prime the cache using a fetch() response modified by additional headers. When the user subsequently navigated to the same URL, the browser returned poisoned data from the cache instead of the actual server response. The mechanism results from the lack of cache key integrity verification (CWE-345 — insufficient verification of data authenticity).
An attacker can replace the content displayed to the user with any specially crafted content, which may lead to credential theft, distribution of false information, or execution of malicious JavaScript code in the context of a trusted website.
Mozilla Firefox should be updated to version 123 or newer. Patch available through Mozilla Foundation Security Advisory mfsa2024-05.
Mozilla Firefox in versions earlier than 123
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HMozilla Firefox
APPMozilla< 123.0
Related vulnerabilities
Use-after-free w Animation timelines Firefox/Thunderbird — RCE
An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escap...
Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes ...
Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before...
Memory safety bugs present in Firefox 152.0.3. Some of these bugs showed evidence of memory corruption and we ...