CVE-2024-9394
📋 TL;DR
This vulnerability allows attackers to execute arbitrary JavaScript in the privileged devtools origin via specially crafted multipart responses, enabling cross-origin JSON data theft. On Android devices, this provides full cross-origin access, while desktop clients are limited by Site Isolation to same-site documents. Affected software includes Firefox, Firefox ESR, and Thunderbird below specified versions.
💻 Affected Systems
- Mozilla Firefox
- Mozilla Firefox ESR
- Mozilla Thunderbird
📦 What is this software?
Firefox by Mozilla
Firefox Esr by Mozilla
Firefox Esr by Mozilla
Thunderbird by Mozilla
Thunderbird by Mozilla
Thunderbird by Mozilla
Thunderbird by Mozilla
Thunderbird by Mozilla
Thunderbird by Mozilla
Thunderbird by Mozilla
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal sensitive cross-origin data including authentication tokens, session cookies, and private user information from any website visited by the victim on Android devices.
Likely Case
Targeted attacks stealing specific cross-origin data from vulnerable Android browsers, with limited same-site data theft on desktop browsers.
If Mitigated
No impact if browsers are updated to patched versions or if Android devices are not used for sensitive browsing.
🎯 Exploit Status
Exploitation requires crafting multipart responses and convincing users to visit malicious sites, but no authentication is needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Firefox 131+, Firefox ESR 128.3+, Firefox ESR 115.16+, Thunderbird 128.3+, Thunderbird 131+
Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2024-46/
Restart Required: Yes
Instructions:
1. Open affected application. 2. Go to Help > About Firefox/Thunderbird. 3. Allow automatic update check and installation. 4. Restart the application when prompted.
🔧 Temporary Workarounds
Disable JavaScript
allDisabling JavaScript prevents the arbitrary code execution but breaks most website functionality.
about:config > javascript.enabled = false
Enable Enhanced Tracking Protection
allMay block some malicious scripts but is not a complete mitigation.
Settings > Privacy & Security > Enhanced Tracking Protection > Strict
🧯 If You Can't Patch
- Use alternative browsers on Android devices for sensitive activities
- Implement network filtering to block known malicious domains serving multipart exploits
🔍 How to Verify
Check if Vulnerable:
Check browser version against affected ranges: Firefox < 131, Firefox ESR < 128.3 or < 115.16, Thunderbird < 128.3 or < 131Check Version:
Firefox/Thunderbird: about:support > Application Basics > VersionVerify Fix Applied:
Confirm version is equal to or greater than: Firefox 131, Firefox ESR 128.3 or 115.16, Thunderbird 128.3 or 131📡 Detection & Monitoring
Log Indicators:
- Unusual devtools:// or resource://devtools access in browser logs
- Multiple failed multipart response parsing attempts
Network Indicators:
- Malicious sites serving crafted multipart responses with JavaScript payloads
- Unusual cross-origin JSON data transfers
SIEM Query:
source="browser_logs" AND (uri="resource://devtools/*" OR uri="devtools://*") AND status="error"🔗 References
- https://bugzilla.mozilla.org/show_bug.cgi?id=1918874
- https://www.mozilla.org/security/advisories/mfsa2024-46/
- https://www.mozilla.org/security/advisories/mfsa2024-47/
- https://www.mozilla.org/security/advisories/mfsa2024-48/
- https://www.mozilla.org/security/advisories/mfsa2024-49/
- https://www.mozilla.org/security/advisories/mfsa2024-50/
- https://lists.debian.org/debian-lts-announce/2024/10/msg00004.html
- https://lists.debian.org/debian-lts-announce/2024/10/msg00006.html
