CVE-2024-4767 — Incomplete Cleanup in Mozilla Firefox

CWE-459 — Incomplete Cleanup CWE-359 — Exposure of Private Personal Information to an Unauthorized Actor CWE-212 — Improper Removal of Sensitive Information Before Storage or Transfer14 documents8 sources

Severity

4.3MEDIUMNVD

OSV8.8

EPSS

0.9%

top 24.74%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Firefox ESR Mozilla Thunderbird +1 more

Timeline

PublishedMay 14

Latest updateMay 29

Description

If the `browser.privatebrowsing.autostart` preference is enabled, IndexedDB files were not properly deleted when the window was closed. This preference is disabled by default in Firefox. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages8 packages

▶CVEListV5mozilla/firefoxunspecified — 126

▶NVDmozilla/firefox< 115.11.0+1

▶CVEListV5mozilla/firefox_esrunspecified — 115.11

▶Ubuntumozilla/firefox< 126.0+build2-0ubuntu0.20.04.1+1

▶CVEListV5mozilla/thunderbirdunspecified — 115.11

Also affects: Debian Linux 10.0

🔴Vulnerability Details

OSV

firefox regressions↗2024-05-29

▶

OSV

thunderbird vulnerabilities↗2024-05-22

▶

OSV

firefox vulnerabilities↗2024-05-21

▶

OSV

CVE-2024-4767: If the `browser↗2024-05-14

▶

CVEList

CVE-2024-4767: If the `browser↗2024-05-14

▶

📋Vendor Advisories

Ubuntu

Thunderbird vulnerabilities↗2024-05-22

▶

Ubuntu

Firefox vulnerabilities↗2024-05-21

▶

Red Hat

Mozilla: IndexedDB files retained in private browsing mode↗2024-05-14

▶

Debian

CVE-2024-4767: firefox - If the `browser.privatebrowsing.autostart` preference is enabled, IndexedDB file...↗2024

▶

Mozilla

Mozilla Foundation Security Advisory 2024-22: CVE-2024-4767↗

▶