A compromised content process could have allowed for the arbitrary loading of cross-origin pages. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Firefox ESR < 115.16, Thunderbird < 128.3, and Thunderbird < 131.
The vulnerability stems from a violation of the origin isolation principle (CWE-346 — Origin Validation Error). Under normal circumstances, the same-origin policy mechanism prevents content processes from accessing resources from other domains. In the case of this vulnerability, a compromised content process can bypass this control and load arbitrary cross-origin pages, which opens the way for further abuse of the browser or email client environment.
An attacker who gains control over the content process can obtain unauthorized access to data from other pages and potentially affect their integrity and availability, which corresponds to a complete breach of confidentiality, integrity, and availability (CVSS C:H/I:H/A:H).
Software should be updated to the following versions: Firefox 131 or newer, Firefox ESR 128.3 or newer, Firefox ESR 115.16 or newer, Thunderbird 128.3 or newer, Thunderbird 131 or newer. Detailed information available in Mozilla security bulletins: mfsa2024-46, mfsa2024-47, mfsa2024-48.
Mozilla Firefox versions below 131, Mozilla Firefox ESR versions below 128.3 and below 115.16, Mozilla Thunderbird versions below 128.3 and below 131.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HMozilla Firefox
APPMozilla< 115.6.0< 131.0Mozilla Thunderbird
APPMozilla< 128.3.0129.0 – 131.0 (bez)
Related vulnerabilities
Use-after-free w Animation timelines Firefox/Thunderbird — RCE
An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escap...
Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes ...
Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before...
Memory safety bugs present in Firefox 152.0.3. Some of these bugs showed evidence of memory corruption and we ...