CVE-2024-11023

Name of the Vulnerable Software and Affected Versions Firebase JavaScript SDK versions prior to 10.9.0

Description The Firebase JavaScript SDK utilizes a "FIREBASE DEFAULTS" cookie to store configuration data, including an " authTokenSyncURL" field used for session synchronization. If this cookie field is preset via an attacker by any other method, the attacker can manipulate the " authTokenSyncURL" to point to their own server, allowing them to capture user session data transmitted by the SDK.

Recommendations Upgrade Firebase JS SDK to at least version 10.9.0 to resolve the issue. As a temporary workaround, consider restricting access to the " authTokenSyncURL" field to minimize the risk of exploitation.