CVE-2024-8382

Published: Sep 3, 2024Modified: Jun 17, 2026

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

Internal browser event interfaces were exposed to web content when privileged EventHandler listener callbacks ran for those events. Web content that tried to use those interfaces would not be able to use them with elevated privileges, but their presence would indicate certain browser features had been used, such as when a user opened the Dev Tools console. This vulnerability affects Firefox < 130, Firefox ESR < 128.2, Firefox ESR < 115.15, Thunderbird < 128.2, and Thunderbird < 115.15.

Affected (3)

Products: Mozilla: Firefox, Firefox Esr

2 products

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Mozilla Firefox	Before 130.0
Mozilla Firefox Esr	Before 115.15
Mozilla Firefox Esr	From 128.0 to 128.2

Related CWEs

Improper Check for Dropped Privileges

The product attempts to drop privileges but does not check or incorrectly checks to see if the drop succeeded.

References (8)

https://bugzilla.mozilla.org/show_bug.cgi?id=1906744

Source: security@mozilla.org

Issue TrackingPermissions Required

https://www.mozilla.org/security/advisories/mfsa2024-39/

Source: security@mozilla.org

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2024-40/

Source: security@mozilla.org

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2024-41/

Source: security@mozilla.org

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2024-43/

Source: security@mozilla.org

https://www.mozilla.org/security/advisories/mfsa2024-44/

Source: security@mozilla.org

https://lists.debian.org/debian-lts-announce/2024/09/msg00012.html

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.debian.org/debian-lts-announce/2024/09/msg00025.html

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.