CVE-2024-8382 — Improper Check for Dropped Privileges in Mozilla Firefox
Severity
8.8HIGHNVD
OSV9.8OSV9.6
EPSS
0.2%
top 52.48%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedSep 3
Latest updateSep 23
Description
Internal browser event interfaces were exposed to web content when privileged EventHandler listener callbacks ran for those events. Web content that tried to use those interfaces would not be able to use them with elevated privileges, but their presence would indicate certain browser features had been used, such as when a user opened the Dev Tools console. This vulnerability affects Firefox < 130, Firefox ESR < 128.2, Firefox ESR < 115.15, Thunderbird < 128.2, and Thunderbird < 115.15.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9
Affected Packages8 packages
🔴Vulnerability Details
6OSV▶
CVE-2024-8382: Internal browser event interfaces were exposed to web content when privileged EventHandler listener callbacks ran for those events↗2024-09-03
GHSA▶
GHSA-ph32-hgpc-r5j4: Internal browser event interfaces were exposed to web content when privileged EventHandler listener callbacks ran for those events↗2024-09-03