CVE-2024-9394

Name of the Vulnerable Software and Affected Versions Firefox versions prior to 131 Firefox ESR versions prior to 128.3 Firefox ESR versions prior to 115.16 Thunderbird versions prior to 128.3 Thunderbird versions prior to 131

Description An attacker could execute arbitrary JavaScript under the resource://devtools origin via a specially crafted multipart response. This could allow them to access cross-origin JSON content, with access limited to "same site" documents on desktop clients due to the Site Isolation feature, but full cross-origin access is possible on Android versions.

Recommendations For Firefox versions prior to 131, update to version 131 or later. For Firefox ESR versions prior to 128.3, update to version 128.3 or later. For Firefox ESR versions prior to 115.16, update to version 115.16 or later. For Thunderbird versions prior to 128.3, update to version 128.3 or later. For Thunderbird versions prior to 131, update to version 131 or later. As a temporary workaround, consider disabling access to the resource://devtools origin until a patch is available.