CVE-2024-4768 – This vulnerability in Firefox, Firefox ESR, and... (How to Fix)

Q: How do I fix CVE-2024-4768?

1. Open browser/mail client. 2. Go to Help > About Firefox/Thunderbird. 3. Allow automatic update or download latest version from mozilla.org. 4. Restart application.

Q: What is the severity of CVE-2024-4768?

CVE-2024-4768 has a CVSS score of 6.1 (MEDIUM). This vulnerability in Firefox, Firefox ESR, and Thunderbird allows attackers to trick users into granting WebAuthn permissions via manipulated popup notifications. It affects users running outdated versions of these browsers. The bug makes permission dialogs less secure by enabling deceptive interaction patterns.

📋 TL;DR

This vulnerability in Firefox, Firefox ESR, and Thunderbird allows attackers to trick users into granting WebAuthn permissions via manipulated popup notifications. It affects users running outdated versions of these browsers. The bug makes permission dialogs less secure by enabling deceptive interaction patterns.

💻 Affected Systems

Products:

Firefox
Firefox ESR
Thunderbird

Versions: Firefox < 126, Firefox ESR < 115.11, Thunderbird < 115.11

Operating Systems: Windows, Linux, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations of affected versions are vulnerable. WebAuthn must be enabled (default).

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could trick users into granting WebAuthn authentication permissions for malicious sites, potentially enabling credential theft or unauthorized access to protected accounts.

🟠

Likely Case

Users might unintentionally grant WebAuthn permissions to malicious websites, compromising their authentication security for those sites.

🟢

If Mitigated

With updated browsers, the vulnerability is eliminated. Users who verify URLs before granting permissions remain protected even before patching.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires user interaction with deceptive popups. No public exploit code has been disclosed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 126+, Firefox ESR 115.11+, Thunderbird 115.11+

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2024-21/

Restart Required: Yes

Instructions:

1. Open browser/mail client. 2. Go to Help > About Firefox/Thunderbird. 3. Allow automatic update or download latest version from mozilla.org. 4. Restart application.

🔧 Temporary Workarounds

Disable WebAuthn

all

Temporarily disable WebAuthn authentication to prevent exploitation

about:config
Set security.webauth.webauthn to false

Disable Popup Notifications

all

Prevent permission popups from appearing

about:preferences#privacy
Disable 'Ask to save logins and passwords for websites'

🧯 If You Can't Patch

Use alternative browsers like Chrome or Edge until patches can be applied
Implement network filtering to block known malicious sites that might exploit this

🔍 How to Verify

Check if Vulnerable:

Check browser version in Help > About Firefox/Thunderbird. If version is below patched versions, system is vulnerable.

Check Version:

firefox --version or thunderbird --version

Verify Fix Applied:

Confirm version is Firefox 126+, Firefox ESR 115.11+, or Thunderbird 115.11+ in About dialog.

📡 Detection & Monitoring

Log Indicators:

Multiple WebAuthn permission requests from same IP
Unusual permission grant patterns in browser logs

Network Indicators:

Traffic to sites with WebAuthn requests from unpatched browsers
Suspicious domain names requesting authentication permissions

SIEM Query:

source="browser_logs" AND event="webauthn_permission_grant" AND browser_version<"126"

📊 Metadata

CVE ID: CVE-2024-4768

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-281

Published: May 14, 2024

Last Updated: April 1, 2025

🔗 References

https://bugzilla.mozilla.org/show_bug.cgi?id=1886082 Exploit,Issue Tracking,Vendor Advisory
https://lists.debian.org/debian-lts-announce/2024/05/msg00010.html Mailing List
https://lists.debian.org/debian-lts-announce/2024/05/msg00012.html Mailing List
https://www.mozilla.org/security/advisories/mfsa2024-21/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2024-22/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2024-23/ Vendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1886082 Exploit,Issue Tracking,Vendor Advisory
https://lists.debian.org/debian-lts-announce/2024/05/msg00010.html Mailing List
https://lists.debian.org/debian-lts-announce/2024/05/msg00012.html Mailing List
https://www.mozilla.org/security/advisories/mfsa2024-21/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2024-22/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2024-23/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-4768, you might also want to check these: