CVE-2024-9393 Information

Description

An attacker could via a specially crafted multipart response execute arbitrary JavaScript under the resource://pdf.js origin. This could allow them to access cross-origin PDF content. This access is limited to \same site\ documents by the Site Isolation feature on desktop clients but full cross-origin access is possible on Android versions. This vulnerability affects Firefox < 131 Firefox ESR < 128.3 Firefox ESR < 115.16 Thunderbird < 128.3 and Thunderbird < 131.

Reference

https://bugzilla.mozilla.org/show_bug.cgi?id=1918301 https://www.mozilla.org/security/advisories/mfsa2024-46/ https://www.mozilla.org/security/advisories/mfsa2024-47/ https://www.mozilla.org/security/advisories/mfsa2024-48/ https://www.mozilla.org/security/advisories/mfsa2024-49/ https://www.mozilla.org/security/advisories/mfsa2024-50/