CVE-2024-9393

Name of the Vulnerable Software and Affected Versions Firefox versions prior to 131 Firefox ESR versions prior to 128.3 Firefox ESR versions prior to 115.16 Thunderbird versions prior to 128.3 Thunderbird versions prior to 131

Description The issue is related to a CORS mechanism error in Mozilla Firefox, Firefox ESR, and the Thunderbird email client, specifically with the resource://pdf.js path. An attacker could exploit this by sending a specially crafted multipart response, allowing them to execute arbitrary JavaScript under the resource://pdf.js origin. This could enable access to cross-origin PDF content, with the level of access varying between desktop and Android versions due to the Site Isolation feature.

Recommendations For Firefox versions prior to 131, update to version 131 or later. For Firefox ESR versions prior to 128.3, update to version 128.3 or later. For Firefox ESR versions prior to 115.16, update to version 115.16 or later. For Thunderbird versions prior to 128.3, update to version 128.3 or later. For Thunderbird versions prior to 131, update to version 131 or later. As a temporary workaround, consider restricting access to the resource://pdf.js path until a patch is available.