Login Sign Up

CVE-2024-11698

9.8 CRITICAL

📋 TL;DR

A fullscreen transition flaw in Firefox and Thunderbird on macOS causes applications to become stuck in fullscreen mode when modal dialogs appear during transitions. This prevents users from exiting fullscreen using standard methods like Esc key or right-click menus, requiring browser restart. Only affects macOS users running vulnerable Firefox (<133, ESR <128.5) or Thunderbird (<133, <128.5) versions.

💻 Affected Systems

Products:
  • Firefox
  • Firefox ESR
  • Thunderbird
Versions: Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, Thunderbird < 128.5
Operating Systems: macOS
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects macOS systems. Other operating systems are unaffected. Requires user to trigger fullscreen transition with modal dialog.

📦 What is this software?

Firefox by Mozilla

View all CVEs affecting Firefox →

Firefox by Mozilla

View all CVEs affecting Firefox →

Thunderbird by Mozilla

View all CVEs affecting Thunderbird →

Thunderbird by Mozilla

View all CVEs affecting Thunderbird →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service where users cannot exit fullscreen mode, potentially disrupting critical workflows or trapping users in malicious fullscreen content.

🟠

Likely Case

User experience disruption requiring application restart, potentially causing data loss in unsaved sessions.

🟢

If Mitigated

Minor inconvenience with quick restart resolving the issue, no data compromise.

🌐 Internet-Facing: LOW - This is a client-side UI bug requiring user interaction, not remotely exploitable.
🏢 Internal Only: LOW - Same as internet facing; requires local user interaction on affected macOS systems.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: NO
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires user interaction (triggering modal during fullscreen transition). This is a UI bug rather than a security vulnerability despite high CVSS score.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 133+, Firefox ESR 128.5+, Thunderbird 133+, Thunderbird 128.5+

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2024-63/

Restart Required: Yes

Instructions:

1. Open Firefox/Thunderbird. 2. Click menu → Help → About Firefox/Thunderbird. 3. Allow automatic update check and installation. 4. Restart application when prompted.

🔧 Temporary Workarounds

Avoid modal dialogs during fullscreen

all

Prevent triggering the bug by avoiding modal dialog interactions during fullscreen transitions.

Force quit application

macOS

If stuck in fullscreen, use macOS Force Quit (Cmd+Option+Esc) to terminate the application.

🧯 If You Can't Patch

  • Switch to alternative browser on macOS until patched
  • Disable fullscreen mode in application preferences

🔍 How to Verify

Check if Vulnerable:

Check if running macOS with Firefox version <133 or Thunderbird version <133 via About menu.

Check Version:

Open application → Help → About Firefox/Thunderbird

Verify Fix Applied:

Confirm version is Firefox ≥133, Firefox ESR ≥128.5, Thunderbird ≥133, or Thunderbird ≥128.5.

📡 Detection & Monitoring

Log Indicators:

  • Application crash logs related to fullscreen transitions
  • User reports of stuck fullscreen mode

SIEM Query:

Not applicable - client-side UI bug with no network indicators

📊 Metadata

CVE ID: CVE-2024-11698
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: November 26, 2024
Last Updated: June 24, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON