CVE-2024-11694

Name of the Vulnerable Software and Affected Versions: Firefox versions prior to 133 Firefox ESR versions prior to 128.5 Firefox ESR versions prior to 115.18 Thunderbird versions prior to 133 Thunderbird versions prior to 128.5 Thunderbird versions prior to 115.18

Description: The issue is related to Enhanced Tracking Protection's Strict mode, which may have allowed a Content Security Policy (CSP) frame-src bypass and DOM-based XSS through the Google SafeFrame shim in the Web Compatibility extension. This could have exposed users to malicious frames masquerading as legitimate content, potentially allowing an attacker to perform a DOM-based XSS attack by exploiting the lack of protection for the web page structure.

Recommendations: For Firefox versions prior to 133, update to version 133 or later. For Firefox ESR versions prior to 128.5, update to version 128.5 or later. For Firefox ESR versions prior to 115.18, update to version 115.18 or later. For Thunderbird versions prior to 133, update to version 133 or later. For Thunderbird versions prior to 128.5, update to version 128.5 or later. For Thunderbird versions prior to 115.18, update to version 115.18 or later.