A nested iframe, triggering a cross-site navigation, could send SameSite=Strict or Lax cookies. This vulnerability affects Firefox < 128 and Thunderbird < 128.
The attack exploits a nested iframe element that triggers cross-site navigation. Under normal circumstances, cookies with the SameSite=Strict or SameSite=Lax attribute should not be sent in requests initiated from other websites. However, a bug in the browser's logic causes SameSite restrictions to be bypassed in the described scenario, and cookies are included in the request despite crossing the origin boundary. This allows an attacker to carry out an attack from an external website with the victim's authentication.
An attacker can bypass SameSite cookie protections and send authenticated requests on behalf of the victim to other websites, effectively opening the door to Cross-Site Request Forgery (CSRF) attacks and unauthorized access to resources protected by the user's session.
Mozilla Firefox should be updated to version 128 or newer, and Mozilla Thunderbird should be updated to version 128 or newer. Patches have been described in official Mozilla security bulletins MFSA2024-29 and MFSA2024-32.
Mozilla Firefox in versions below 128 and Mozilla Thunderbird in versions below 128.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HMozilla Firefox
APPMozilla< 128.0Mozilla Thunderbird
APPMozilla< 128.0
Related vulnerabilities
Use-after-free w Animation timelines Firefox/Thunderbird — RCE
An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escap...
Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes ...
Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before...
Memory safety bugs present in Firefox 152.0.3. Some of these bugs showed evidence of memory corruption and we ...