CVE-2024-8383 Affecting firefox package, versions <130.0-r0
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-CHAINGUARDLATEST-FIREFOX-8098273
- published 26 Sep 2024
- disclosed 3 Sep 2024
Introduced: 3 Sep 2024
CVE-2024-8383 Open this link in a new tabHow to fix?
Upgrade Chainguard firefox to version 130.0-r0 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream firefox package and not the firefox package as distributed by Chainguard.
See How to fix? for Chainguard relevant fixed versions and status.
Firefox normally asks for confirmation before asking the operating system to find an application to handle a scheme that the browser does not support. It did not ask before doing so for the Usenet-related schemes news: and snews:. Since most operating systems don't have a trusted newsreader installed by default, an unscrupulous program that the user downloaded could register itself as a handler. The website that served the application download could then launch that application at will. This vulnerability affects Firefox < 130, Firefox ESR < 128.2, and Firefox ESR < 115.15.
References
- https://bugzilla.mozilla.org/show_bug.cgi?id=1908496
- https://www.mozilla.org/security/advisories/mfsa2024-39/
- https://www.mozilla.org/security/advisories/mfsa2024-40/
- https://www.mozilla.org/security/advisories/mfsa2024-41/
- https://www.mozilla.org/security/advisories/mfsa2024-43/
- https://www.mozilla.org/security/advisories/mfsa2024-44/