CVE-2024-9398 — Observable Discrepancy in Mozilla Firefox

CWE-203 — Observable Discrepancy13 documents8 sources

Severity

5.3MEDIUMNVD

OSV9.8

EPSS

0.8%

top 25.80%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Firefox ESR Mozilla Thunderbird

Timeline

PublishedOct 1

Latest updateFeb 2

Description

By checking the result of calls to `window.open` with specifically set protocol handlers, an attacker could determine if the application which implements that protocol handler is installed. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Thunderbird < 128.3, and Thunderbird < 131.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages8 packages

▶CVEListV5mozilla/firefoxunspecified — 131

▶NVDmozilla/firefox< 131.0

▶CVEListV5mozilla/firefox_esrunspecified — 128.3

▶CVEListV5mozilla/thunderbirdunspecified — 128.3+1

▶NVDmozilla/firefox_esr< 128.3.0

🔴Vulnerability Details

OSV

firefox vulnerabilities↗2024-10-07

▶

CVEList

CVE-2024-9398: By checking the result of calls to `window↗2024-10-01

▶

OSV

CVE-2024-9398: By checking the result of calls to `window↗2024-10-01

▶

GHSA

GHSA-3qpq-hc75-5535: By checking the result of calls to `window↗2024-10-01

▶

📋Vendor Advisories

Ubuntu

Thunderbird vulnerabilities↗2026-02-02

▶

Ubuntu

Firefox vulnerabilities↗2024-10-07

▶

Red Hat

firefox: thunderbird: External protocol handlers could be enumerated via popups↗2024-10-01

▶

Debian

CVE-2024-9398: firefox - By checking the result of calls to `window.open` with specifically set protocol ...↗2024

▶

Mozilla

Mozilla Foundation Security Advisory 2024-47: CVE-2024-9398↗

▶