CVE-2024-9398 - Vulnerability Details

By checking the result of calls to `window.open` with specifically set protocol handlers, an attacker could determine if the application which implements that protocol handler is installed. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Thunderbird < 128.3, and Thunderbird < 131.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Mozilla	Firefox Firefox Esr Thunderbird
Redhat	Enterprise Linux Rhel Aus Rhel E4s Rhel Els Rhel Eus Rhel Tus

Configuration 1 [-]

OR	cpe:2.3:a:mozilla:firefox::::::::
	cpe:2.3:a:mozilla:firefox_esr::::::::
	cpe:2.3:a:mozilla:thunderbird::::::::
	cpe:2.3:a:mozilla:thunderbird:129.0:beta::::::
	cpe:2.3:a:mozilla:thunderbird:129.0:beta2::::::
	cpe:2.3:a:mozilla:thunderbird:129.0:beta3::::::
	cpe:2.3:a:mozilla:thunderbird:129.0:beta4::::::
	cpe:2.3:a:mozilla:thunderbird:129.0:beta5::::::
	cpe:2.3:a:mozilla:thunderbird:129.0:beta6::::::

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 7 Extended Lifecycle Support
firefox-0:128.3.0-1.el7_9	cpe:/o:redhat:rhel_els:7	RHSA-2024:7702	2024-10-07T00:00:00Z
Red Hat Enterprise Linux 8
thunderbird-0:128.3.0-1.el8_10	cpe:/a:redhat:enterprise_linux:8	RHSA-2024:7699	2024-10-07T00:00:00Z
firefox-0:128.3.0-1.el8_10	cpe:/a:redhat:enterprise_linux:8	RHSA-2024:7700	2024-10-07T00:00:00Z
Red Hat Enterprise Linux 8.2 Advanced Update Support
firefox-0:128.3.0-1.el8_2	cpe:/a:redhat:rhel_aus:8.2	RHSA-2024:7646	2024-10-03T00:00:00Z
thunderbird-0:128.3.0-1.el8_2	cpe:/a:redhat:rhel_aus:8.2	RHSA-2024:7856	2024-10-09T00:00:00Z
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
firefox-0:128.3.0-1.el8_4	cpe:/a:redhat:rhel_aus:8.4	RHSA-2024:7703	2024-10-07T00:00:00Z
thunderbird-0:128.3.0-1.el8_4	cpe:/a:redhat:rhel_aus:8.4	RHSA-2024:7854	2024-10-09T00:00:00Z
Red Hat Enterprise Linux 8.4 Telecommunications Update Service
firefox-0:128.3.0-1.el8_4	cpe:/a:redhat:rhel_tus:8.4	RHSA-2024:7703	2024-10-07T00:00:00Z
thunderbird-0:128.3.0-1.el8_4	cpe:/a:redhat:rhel_tus:8.4	RHSA-2024:7854	2024-10-09T00:00:00Z
Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
firefox-0:128.3.0-1.el8_4	cpe:/a:redhat:rhel_e4s:8.4	RHSA-2024:7703	2024-10-07T00:00:00Z
thunderbird-0:128.3.0-1.el8_4	cpe:/a:redhat:rhel_e4s:8.4	RHSA-2024:7854	2024-10-09T00:00:00Z
Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
firefox-0:128.3.0-1.el8_6	cpe:/a:redhat:rhel_aus:8.6	RHSA-2024:7704	2024-10-07T00:00:00Z
thunderbird-0:128.3.0-1.el8_6	cpe:/a:redhat:rhel_aus:8.6	RHSA-2024:8169	2024-10-16T00:00:00Z
Red Hat Enterprise Linux 8.6 Telecommunications Update Service
firefox-0:128.3.0-1.el8_6	cpe:/a:redhat:rhel_tus:8.6	RHSA-2024:7704	2024-10-07T00:00:00Z
thunderbird-0:128.3.0-1.el8_6	cpe:/a:redhat:rhel_tus:8.6	RHSA-2024:8169	2024-10-16T00:00:00Z
Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
firefox-0:128.3.0-1.el8_6	cpe:/a:redhat:rhel_e4s:8.6	RHSA-2024:7704	2024-10-07T00:00:00Z
thunderbird-0:128.3.0-1.el8_6	cpe:/a:redhat:rhel_e4s:8.6	RHSA-2024:8169	2024-10-16T00:00:00Z
Red Hat Enterprise Linux 8.8 Extended Update Support
firefox-0:128.3.0-1.el8_8	cpe:/a:redhat:rhel_eus:8.8	RHSA-2024:7842	2024-10-09T00:00:00Z
thunderbird-0:128.3.1-1.el8_8	cpe:/a:redhat:rhel_eus:8.8	RHSA-2024:8166	2024-10-16T00:00:00Z
Red Hat Enterprise Linux 9
thunderbird-0:128.3.0-1.el9_4	cpe:/a:redhat:enterprise_linux:9	RHSA-2024:7552	2024-10-02T00:00:00Z
Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions
firefox-0:128.3.0-1.el9_0	cpe:/a:redhat:rhel_e4s:9.0	RHSA-2024:7621	2024-10-03T00:00:00Z
thunderbird-0:128.3.0-1.el9_0	cpe:/a:redhat:rhel_e4s:9.0	RHSA-2024:7855	2024-10-09T00:00:00Z
Red Hat Enterprise Linux 9.2 Extended Update Support
firefox-0:128.3.0-1.el9_2	cpe:/a:redhat:rhel_eus:9.2	RHSA-2024:7622	2024-10-03T00:00:00Z
thunderbird-0:128.3.0-1.el9_2	cpe:/a:redhat:rhel_eus:9.2	RHSA-2024:7853	2024-10-09T00:00:00Z

References

Link	Providers
https://bugzilla.mozilla.org/show_bug.cgi?id=1881037
https://nvd.nist.gov/vuln/detail/CVE-2024-9398
https://www.cve.org/CVERecord?id=CVE-2024-9398
https://www.mozilla.org/security/advisories/mfsa2024-46/
https://www.mozilla.org/security/advisories/mfsa2024-47/
https://www.mozilla.org/security/advisories/mfsa2024-49/
https://www.mozilla.org/security/advisories/mfsa2024-50/

History

Tue, 18 Mar 2025 20:15:00 +0000

Type	Values Removed	Values Added
Metrics	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`	ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 11 Oct 2024 16:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mozilla Mozilla firefox Mozilla firefox Esr Mozilla thunderbird
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:a:mozilla:firefox:::::::: cpe:2.3:a:mozilla:firefox_esr:::::::: cpe:2.3:a:mozilla:thunderbird:::::::: cpe:2.3:a:mozilla:thunderbird:129.0:beta2:::::: cpe:2.3:a:mozilla:thunderbird:129.0:beta3:::::: cpe:2.3:a:mozilla:thunderbird:129.0:beta4:::::: cpe:2.3:a:mozilla:thunderbird:129.0:beta5:::::: cpe:2.3:a:mozilla:thunderbird:129.0:beta6:::::: cpe:2.3:a:mozilla:thunderbird:129.0:beta::::::
Vendors & Products		Mozilla Mozilla firefox Mozilla firefox Esr Mozilla thunderbird
Metrics	cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}`	cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}`

Thu, 10 Oct 2024 02:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:rhel_eus:8.8

Tue, 08 Oct 2024 02:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhel Els Redhat rhel Tus
CPEs		cpe:/a:redhat:enterprise_linux:8 cpe:/a:redhat:rhel_aus:8.4 cpe:/a:redhat:rhel_aus:8.6 cpe:/a:redhat:rhel_e4s:8.4 cpe:/a:redhat:rhel_e4s:8.6 cpe:/a:redhat:rhel_tus:8.4 cpe:/a:redhat:rhel_tus:8.6 cpe:/o:redhat:rhel_els:7
Vendors & Products		Redhat rhel Els Redhat rhel Tus

Fri, 04 Oct 2024 14:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhel Aus Redhat rhel E4s Redhat rhel Eus
CPEs		cpe:/a:redhat:rhel_aus:8.2 cpe:/a:redhat:rhel_e4s:9.0 cpe:/a:redhat:rhel_eus:9.2
Vendors & Products		Redhat rhel Aus Redhat rhel E4s Redhat rhel Eus

Thu, 03 Oct 2024 18:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat Redhat enterprise Linux
CPEs		cpe:/a:redhat:enterprise_linux:9
Vendors & Products		Redhat Redhat enterprise Linux

Wed, 02 Oct 2024 14:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-203
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}`

Wed, 02 Oct 2024 01:15:00 +0000

Type	Values Removed	Values Added
Title		firefox: thunderbird: External protocol handlers could be enumerated via popups
References		https://nvd.nist.gov/vuln/detail/CVE-2024-9398 https://www.cve.org/CVERecord?id=CVE-2024-9398
Metrics	threat_severity `None`	threat_severity `Low`

Tue, 01 Oct 2024 19:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 01 Oct 2024 15:30:00 +0000

Type	Values Removed	Values Added
Description		By checking the result of calls to `window.open` with specifically set protocol handlers, an attacker could determine if the application which implements that protocol handler is installed. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Thunderbird < 128.3, and Thunderbird < 131.
References		https://bugzilla.mozilla.org/show_bug.cgi?id=1881037 https://www.mozilla.org/security/advisories/mfsa2024-46/ https://www.mozilla.org/security/advisories/mfsa2024-47/ https://www.mozilla.org/security/advisories/mfsa2024-49/ https://www.mozilla.org/security/advisories/mfsa2024-50/

MITRE

Status: PUBLISHED

Assigner: mozilla

Published: 2024-10-01T15:13:20.488Z

Updated: 2025-03-18T19:36:14.028Z

Reserved: 2024-10-01T06:10:19.182Z

Link: CVE-2024-9398

Vulnrichment

Updated: 2024-10-01T18:48:10.851Z

NVD

Status : Modified

Published: 2024-10-01T16:15:10.913

Modified: 2025-03-18T20:15:25.150

Link: CVE-2024-9398

Redhat

Severity : Low

Publid Date: 2024-10-01T15:13:20Z

Links: CVE-2024-9398 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-9398", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2024-10-01T06:10:19.182Z", "datePublished": "2024-10-01T15:13:20.488Z", "dateUpdated": "2025-03-18T19:36:14.028Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"lessThan": "131", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Firefox ESR", "vendor": "Mozilla", "versions": [{"lessThan": "128.3", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"lessThan": "128.3", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"lessThan": "131", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "By checking the result of calls to `window.open` with specifically set protocol handlers, an attacker could determine if the application which implements that protocol handler is installed. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Thunderbird < 128.3, and Thunderbird < 131.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "By checking the result of calls to `window.open` with specifically set protocol handlers, an attacker could determine if the application which implements that protocol handler is installed. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Thunderbird < 128.3, and Thunderbird < 131."}]}], "problemTypes": [{"descriptions": [{"description": "External protocol handlers could be enumerated via popups", "lang": "en", "type": "text"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1881037"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2024-46/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2024-47/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2024-49/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2024-50/"}], "credits": [{"lang": "en", "value": "Satoki Tsuji"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2024-10-01T15:13:20.488Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-203", "lang": "en", "description": "CWE-203 Observable Discrepancy"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-03-18T19:35:52.431499Z", "id": "CVE-2024-9398", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-18T19:36:14.028Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-9398", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-18T19:35:52.431499Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-203", "description": "CWE-203 Observable Discrepancy"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-01T18:48:10.851Z"}}], "cna": {"credits": [{"lang": "en", "value": "Satoki Tsuji"}], "affected": [{"vendor": "Mozilla", "product": "Firefox", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "131", "versionType": "custom"}]}, {"vendor": "Mozilla", "product": "Firefox ESR", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "128.3", "versionType": "custom"}]}, {"vendor": "Mozilla", "product": "Thunderbird", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "128.3", "versionType": "custom"}]}, {"vendor": "Mozilla", "product": "Thunderbird", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "131", "versionType": "custom"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1881037"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2024-46/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2024-47/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2024-49/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2024-50/"}], "descriptions": [{"lang": "en", "value": "By checking the result of calls to `window.open` with specifically set protocol handlers, an attacker could determine if the application which implements that protocol handler is installed. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Thunderbird < 128.3, and Thunderbird < 131.", "supportingMedia": [{"type": "text/html", "value": "By checking the result of calls to `window.open` with specifically set protocol handlers, an attacker could determine if the application which implements that protocol handler is installed. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Thunderbird < 128.3, and Thunderbird < 131.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "External protocol handlers could be enumerated via popups"}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2024-10-01T15:13:20.488Z"}}}, "cveMetadata": {"cveId": "CVE-2024-9398", "state": "PUBLISHED", "dateUpdated": "2025-03-18T19:36:14.028Z", "dateReserved": "2024-10-01T06:10:19.182Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2024-10-01T15:13:20.488Z", "assignerShortName": "mozilla"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "matchCriteriaId": "DA47FFCA-3451-462C-8FFB-47143C65E65A", "versionEndExcluding": "131.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*", "matchCriteriaId": "AD504E26-CAAF-43F1-B808-C7E16F2ABDA3", "versionEndExcluding": "128.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "matchCriteriaId": "2B27464A-8C97-4D45-B7BE-CD1E3EA1DFD6", "versionEndExcluding": "128.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:129.0:beta:*:*:*:*:*:*", "matchCriteriaId": "1CF643F7-C722-44F1-827C-3974B45A3D0D", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:129.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "963ACFD6-B12A-4A66-A539-FD156C6F5220", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:129.0:beta3:*:*:*:*:*:*", "matchCriteriaId": "B9E39014-2E8F-4E19-9575-978AB56E451A", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:129.0:beta4:*:*:*:*:*:*", "matchCriteriaId": "28752A54-6016-4F6E-983B-CB54FEA19E5F", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:129.0:beta5:*:*:*:*:*:*", "matchCriteriaId": "DA46E15E-0C2B-4F6E-8BA3-B7CB32C58D43", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:129.0:beta6:*:*:*:*:*:*", "matchCriteriaId": "90AD96F8-A88B-4B70-A4D2-CD7637DF239A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "By checking the result of calls to `window.open` with specifically set protocol handlers, an attacker could determine if the application which implements that protocol handler is installed. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Thunderbird < 128.3, and Thunderbird < 131."}, {"lang": "es", "value": "Al comprobar el resultado de las llamadas a `window.open` con controladores de protocolos configurados espec\u00edficamente, un atacante podr\u00eda determinar si la aplicaci\u00f3n que implementa ese controlador de protocolo est\u00e1 instalada. Esta vulnerabilidad afecta a Firefox < 131, Firefox ESR < 128.3, Thunderbird < 128.3 y Thunderbird < 131."}], "id": "CVE-2024-9398", "lastModified": "2025-03-18T20:15:25.150", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-10-01T16:15:10.913", "references": [{"source": "security@mozilla.org", "tags": ["Issue Tracking", "Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1881037"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2024-46/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2024-47/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2024-49/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2024-50/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-203"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:7702", "cpe": "cpe:/o:redhat:rhel_els:7", "package": "firefox-0:128.3.0-1.el7_9", "product_name": "Red Hat Enterprise Linux 7 Extended Lifecycle Support", "release_date": "2024-10-07T00:00:00Z"}, {"advisory": "RHSA-2024:7699", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "thunderbird-0:128.3.0-1.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-10-07T00:00:00Z"}, {"advisory": "RHSA-2024:7700", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "firefox-0:128.3.0-1.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-10-07T00:00:00Z"}, {"advisory": "RHSA-2024:7646", "cpe": "cpe:/a:redhat:rhel_aus:8.2", "package": "firefox-0:128.3.0-1.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2024-10-03T00:00:00Z"}, {"advisory": "RHSA-2024:7856", "cpe": "cpe:/a:redhat:rhel_aus:8.2", "package": "thunderbird-0:128.3.0-1.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2024-10-09T00:00:00Z"}, {"advisory": "RHSA-2024:7703", "cpe": "cpe:/a:redhat:rhel_aus:8.4", "package": "firefox-0:128.3.0-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2024-10-07T00:00:00Z"}, {"advisory": "RHSA-2024:7854", "cpe": "cpe:/a:redhat:rhel_aus:8.4", "package": "thunderbird-0:128.3.0-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2024-10-09T00:00:00Z"}, {"advisory": "RHSA-2024:7703", "cpe": "cpe:/a:redhat:rhel_tus:8.4", "package": "firefox-0:128.3.0-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2024-10-07T00:00:00Z"}, {"advisory": "RHSA-2024:7854", "cpe": "cpe:/a:redhat:rhel_tus:8.4", "package": "thunderbird-0:128.3.0-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2024-10-09T00:00:00Z"}, {"advisory": "RHSA-2024:7703", "cpe": "cpe:/a:redhat:rhel_e4s:8.4", "package": "firefox-0:128.3.0-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2024-10-07T00:00:00Z"}, {"advisory": "RHSA-2024:7854", "cpe": "cpe:/a:redhat:rhel_e4s:8.4", "package": "thunderbird-0:128.3.0-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2024-10-09T00:00:00Z"}, {"advisory": "RHSA-2024:7704", "cpe": "cpe:/a:redhat:rhel_aus:8.6", "package": "firefox-0:128.3.0-1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date": "2024-10-07T00:00:00Z"}, {"advisory": "RHSA-2024:8169", "cpe": "cpe:/a:redhat:rhel_aus:8.6", "package": "thunderbird-0:128.3.0-1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date": "2024-10-16T00:00:00Z"}, {"advisory": "RHSA-2024:7704", "cpe": "cpe:/a:redhat:rhel_tus:8.6", "package": "firefox-0:128.3.0-1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date": "2024-10-07T00:00:00Z"}, {"advisory": "RHSA-2024:8169", "cpe": "cpe:/a:redhat:rhel_tus:8.6", "package": "thunderbird-0:128.3.0-1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date": "2024-10-16T00:00:00Z"}, {"advisory": "RHSA-2024:7704", "cpe": "cpe:/a:redhat:rhel_e4s:8.6", "package": "firefox-0:128.3.0-1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date": "2024-10-07T00:00:00Z"}, {"advisory": "RHSA-2024:8169", "cpe": "cpe:/a:redhat:rhel_e4s:8.6", "package": "thunderbird-0:128.3.0-1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date": "2024-10-16T00:00:00Z"}, {"advisory": "RHSA-2024:7842", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "firefox-0:128.3.0-1.el8_8", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-10-09T00:00:00Z"}, {"advisory": "RHSA-2024:8166", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "thunderbird-0:128.3.1-1.el8_8", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-10-16T00:00:00Z"}, {"advisory": "RHSA-2024:7552", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "thunderbird-0:128.3.0-1.el9_4", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-10-02T00:00:00Z"}, {"advisory": "RHSA-2024:7621", "cpe": "cpe:/a:redhat:rhel_e4s:9.0", "package": "firefox-0:128.3.0-1.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date": "2024-10-03T00:00:00Z"}, {"advisory": "RHSA-2024:7855", "cpe": "cpe:/a:redhat:rhel_e4s:9.0", "package": "thunderbird-0:128.3.0-1.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date": "2024-10-09T00:00:00Z"}, {"advisory": "RHSA-2024:7622", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "firefox-0:128.3.0-1.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-10-03T00:00:00Z"}, {"advisory": "RHSA-2024:7853", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "thunderbird-0:128.3.0-1.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-10-09T00:00:00Z"}], "bugzilla": {"description": "firefox: thunderbird: External protocol handlers could be enumerated via popups", "id": "2315952", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2315952"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "status": "verified"}, "cwe": "CWE-203", "details": ["By checking the result of calls to `window.open` with specifically set protocol handlers, an attacker could determine if the application which implements that protocol handler is installed. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Thunderbird < 128.3, and Thunderbird < 131.", "The Mozilla Foundation's Security Advisory: By checking the result of calls to window.open with specifically set protocol handlers, an attacker could determine if the application which implements that protocol handler is installed."], "name": "CVE-2024-9398", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "firefox-flatpak-container", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "thunderbird-flatpak-container", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-10-01T15:13:20Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-9398\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-9398\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1881037\nhttps://www.mozilla.org/security/advisories/mfsa2024-46/\nhttps://www.mozilla.org/security/advisories/mfsa2024-47/\nhttps://www.mozilla.org/security/advisories/mfsa2024-49/\nhttps://www.mozilla.org/security/advisories/mfsa2024-50/"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.", "threat_severity": "Low"}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object