CVE-2024-9398
published 2024-10-01CVE-2024-9398: By checking the result of calls to `window.open` with specifically set protocol handlers, an attacker could determine if the application which implements that…
medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
By checking the result of calls to `window.open` with specifically set protocol handlers, an attacker could determine if the application which implements that protocol handler is installed. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Thunderbird < 128.3, and Thunderbird < 131.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | firefox | < firefox 131.0-1 (sid) | firefox 131.0-1 (sid) |
| debian | thunderbird | < firefox 131.0-1 (sid) | firefox 131.0-1 (sid) |
| mozilla | firefox | < 131.0 | 131.0 |
| mozilla | firefox | — | — |
| mozilla | firefox | >= 0 < 131.0+build1.1-0ubuntu0.20.04.1 | 131.0+build1.1-0ubuntu0.20.04.1 |
| mozilla | firefox | >= unspecified < 131 | 131 |
| mozilla | firefox_esr | < 128.3.0 | 128.3.0 |
| mozilla | firefox_esr | >= unspecified < 128.3 | 128.3 |
| mozilla | thunderbird | < 128.3 | 128.3 |
| mozilla | thunderbird | — | — |
| mozilla | thunderbird | >= 0 < 1:128.3.0esr-1 | 1:128.3.0esr-1 |
| mozilla | thunderbird | >= 0 < 1:128.3.0esr-1 | 1:128.3.0esr-1 |
| mozilla | thunderbird | >= unspecified < 128.3 | 128.3 |
| mozilla | thunderbird | >= unspecified < 131 | 131 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
osv9.8CRITICAL
Ubuntu
Thunderbird vulnerabilities
vendor_ubuntu·2026-02-02
CVE-2025-8031 Thunderbird vulnerabilities
Title: Thunderbird vulnerabilities
Summary: Several security issues were fixed in Thunderbird.
Multiple security issues were discovered in Thunderbird. If a user were
tricked into opening a specially crafted website in a browsing context,
an attacker could potentially exploit these to cause a denial of service,
obtain sensitive information, bypass security restrictions, cross-site
tracing, or execute arbitrary code.
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
Firefox vulnerabilities
vendor_ubuntu·2024-10-07·CVSS 9.8
CVE-2024-9394 [CRITICAL] Firefox vulnerabilities
Title: Firefox vulnerabilities
Summary: Several security issues were fixed in Firefox.
Multiple security issues were discovered in Firefox. If a user were
tricked into opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, obtain sensitive
information across domains, or execute arbitrary code. (CVE-2024-9392,
CVE-2024-9396, CVE-2024-9397, CVE-2024-9398, CVE-2024-9399, CVE-2024-9400,
CVE-2024-9401, CVE-2024-9402, CVE-2024-9403)
Masato Kinugawa discovered that Firefox did not properly validate
javascript under the "resource://pdf.js" origin. An attacker could
potentially exploit this issue to execute arbitrary javascript code and
access cross-origin PDF content. (CVE-2024-9393)
Masato Kinugawa discovered that Firefox did not properl
Red Hat
firefox: thunderbird: External protocol handlers could be enumerated via popups
vendor_redhat·2024-10-01·CVSS 5.3
CVE-2024-9398 [MEDIUM] CWE-203 firefox: thunderbird: External protocol handlers could be enumerated via popups
firefox: thunderbird: External protocol handlers could be enumerated via popups
By checking the result of calls to `window.open` with specifically set protocol handlers, an attacker could determine if the application which implements that protocol handler is installed. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Thunderbird < 128.3, and Thunderbird < 131.
The Mozilla Foundation's Security Advisory: By checking the result of calls to window.open with specifically set protocol handlers, an attacker could determine if the application which implements that protocol handler is installed.
Statement: Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.
Package: firefox (Red Hat Enterprise Linux 10) - Affected
P
Debian
CVE-2024-9398: firefox - By checking the result of calls to `window.open` with specifically set protocol ...
vendor_debian·2024·CVSS 5.3
CVE-2024-9398 [MEDIUM] CVE-2024-9398: firefox - By checking the result of calls to `window.open` with specifically set protocol ...
By checking the result of calls to `window.open` with specifically set protocol handlers, an attacker could determine if the application which implements that protocol handler is installed. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Thunderbird < 128.3, and Thunderbird < 131.
Scope: local
sid: resolved (fixed in 131.0-1)
Mozilla
Mozilla Foundation Security Advisory 2024-47: CVE-2024-9398
vendor_mozilla·CVSS 5.3
CVE-2024-9398 [MEDIUM] Mozilla Foundation Security Advisory 2024-47: CVE-2024-9398
Mozilla Foundation Security Advisory 2024-47
CVE: CVE-2024-9398
Product: Firefox ESR
Impact: high
Fixed in: Firefox ESR 128.3
Mozilla
Mozilla Foundation Security Advisory 2024-46: CVE-2024-9398
vendor_mozilla·CVSS 5.3
CVE-2024-9398 [MEDIUM] Mozilla Foundation Security Advisory 2024-46: CVE-2024-9398
Mozilla Foundation Security Advisory 2024-46
CVE: CVE-2024-9398
Product: Firefox
Impact: high
Fixed in: Firefox 131
Mozilla
Mozilla Foundation Security Advisory 2024-49: CVE-2024-9398
vendor_mozilla·CVSS 5.3
CVE-2024-9398 [MEDIUM] Mozilla Foundation Security Advisory 2024-49: CVE-2024-9398
Mozilla Foundation Security Advisory 2024-49
CVE: CVE-2024-9398
Product: Thunderbird
Impact: high
Fixed in: Thunderbird 128.3
Mozilla
Mozilla Foundation Security Advisory 2024-50: CVE-2024-9398
vendor_mozilla·CVSS 5.3
CVE-2024-9398 [MEDIUM] Mozilla Foundation Security Advisory 2024-50: CVE-2024-9398
Mozilla Foundation Security Advisory 2024-50
CVE: CVE-2024-9398
Product: Thunderbird
Impact: high
Fixed in: Thunderbird 131
OSV
firefox vulnerabilities
osv·2024-10-07·CVSS 9.8
CVE-2024-9392 [CRITICAL] firefox vulnerabilities
firefox vulnerabilities
Multiple security issues were discovered in Firefox. If a user were
tricked into opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, obtain sensitive
information across domains, or execute arbitrary code. (CVE-2024-9392,
CVE-2024-9396, CVE-2024-9397, CVE-2024-9398, CVE-2024-9399, CVE-2024-9400,
CVE-2024-9401, CVE-2024-9402, CVE-2024-9403)
Masato Kinugawa discovered that Firefox did not properly validate
javascript under the "resource://pdf.js" origin. An attacker could
potentially exploit this issue to execute arbitrary javascript code and
access cross-origin PDF content. (CVE-2024-9393)
Masato Kinugawa discovered that Firefox did not properly validate
javascript under the "resource://devtools" origin. An
OSV
CVE-2024-9398: By checking the result of calls to `window
osv·2024-10-01·CVSS 5.3
CVE-2024-9398 [MEDIUM] CVE-2024-9398: By checking the result of calls to `window
By checking the result of calls to `window.open` with specifically set protocol handlers, an attacker could determine if the application which implements that protocol handler is installed. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Thunderbird < 128.3, and Thunderbird < 131.
GHSA
GHSA-3qpq-hc75-5535: By checking the result of calls to `window
ghsa_unreviewed·2024-10-01
CVE-2024-9398 [MEDIUM] CWE-203 GHSA-3qpq-hc75-5535: By checking the result of calls to `window
By checking the result of calls to `window.open` with specifically set protocol handlers, an attacker could determine if the application which implements that protocol handler is installed. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Thunderbird < 128.3, and Thunderbird < 131.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-10-01
Published