PT-2024-1981 · Mozilla+4 · Firefox+4
Scarlet
·
Published
2024-02-20
·
Updated
2025-03-14
·
CVE-2024-1554
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Firefox versions prior to 123
Description
The
fetch() API and navigation incorrectly shared the same cache, as the cache key did not include the optional headers fetch() may contain. Under the correct circumstances, an attacker may have been able to poison the local browser cache by priming it with a fetch() response controlled by the additional headers. Upon navigation to the same URL, the user would see the cached response instead of the expected response.Recommendations
For Firefox versions prior to 123, update to a version that includes the fix for this issue to prevent cache poisoning attacks. As a temporary workaround, consider disabling the
fetch() API or restricting its use until a patch is available. Avoid using the fetch() API with optional headers that may be controlled by an attacker.Exploit
Fix
Insufficient Verification of Data Authenticity
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Astra Linux
Firefox
Linuxmint
Ubuntu