CVE-2024-9398

Name of the Vulnerable Software and Affected Versions Firefox versions prior to 131 Firefox ESR versions prior to 128.3 Thunderbird versions prior to 128.3 Thunderbird versions prior to 131

Description This issue is related to the window.open function in Mozilla browsers, which can lead to information disclosure through inconsistency. An attacker could determine if an application that implements a specific protocol handler is installed by checking the result of calls to window.open with specifically set protocol handlers. This could allow a remote attacker to gain unauthorized access to protected information.

Recommendations For Firefox versions prior to 131, update to version 131 or later to resolve the issue. For Firefox ESR versions prior to 128.3, update to version 128.3 or later to resolve the issue. For Thunderbird versions prior to 128.3, update to version 128.3 or later to resolve the issue. For Thunderbird versions prior to 131, update to version 131 or later to resolve the issue. As a temporary workaround, consider restricting the use of the window.open function with specifically set protocol handlers until a patch is available.