CVE-2024-11694 is a vulnerability discovered in Mozilla Firefox and Thunderbird that affects versions prior to Firefox 133 and ESR 128.5. The issue arises from the Web Compatibility extension's Google SafeFrame shim, which is intended to improve compatibility with embedded content. However, this shim inadvertently allows a bypass of the Content Security Policy (CSP) frame-src directive when Enhanced Tracking Protection is set to Strict mode. CSP is a critical security mechanism designed to restrict the sources from which frames can be loaded, thereby preventing malicious framing and clickjacking attacks. The bypass enables an attacker to load malicious frames that appear legitimate, undermining the integrity of the content displayed to the user. Additionally, the vulnerability facilitates DOM-based Cross-Site Scripting (XSS), categorized under CWE-79, allowing injection and execution of malicious scripts within the context of trusted web pages. Exploitation does not require any privileges or authentication but does require user interaction, such as visiting a crafted webpage. The CVSS v3.1 score is 6.1 (medium severity), reflecting the network attack vector, low attack complexity, no privileges required, but requiring user interaction, and impacting confidentiality and integrity with no availability impact. No known exploits have been reported in the wild at the time of publication. The vulnerability affects both Firefox and Thunderbird, which share the underlying rendering engine and extensions. The issue highlights the risks of compatibility shims that can inadvertently weaken security controls like CSP. Mozilla has published advisories but no direct patch links were provided in the source data, indicating that users should upgrade to Firefox 133 or ESR 128.5 or later once available to remediate the issue.

For European organizations, this vulnerability poses a risk to confidentiality and integrity of web content viewed through Firefox and Thunderbird. Organizations relying on CSP to enforce strict framing policies may find these controls bypassed, allowing attackers to inject malicious frames that can spoof legitimate content or execute malicious scripts. This can lead to credential theft, session hijacking, or delivery of malware payloads via trusted-looking frames. The impact is particularly significant for sectors handling sensitive data such as finance, healthcare, and government, where phishing or targeted attacks could leverage this flaw. Since the vulnerability requires user interaction, social engineering campaigns could be used to lure users to malicious sites exploiting this issue. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits post-disclosure. The vulnerability also affects Thunderbird, which is widely used for email, potentially enabling malicious content injection in email rendering contexts. Overall, the vulnerability undermines trust in browser security features and could facilitate sophisticated attacks against European enterprises and public sector organizations.

1. Upgrade affected Mozilla products to Firefox version 133 or later and Thunderbird version 133 or later as soon as updates are available. 2. Until patches are applied, consider temporarily disabling the Web Compatibility extension or the Google SafeFrame shim if feasible, understanding this may impact web compatibility. 3. Review and strengthen CSP policies, avoiding over-reliance on compatibility shims and ensuring frame-src directives are as restrictive as possible. 4. Implement user awareness training to reduce the risk of social engineering attacks that require user interaction. 5. Employ network-level protections such as web filtering and intrusion detection systems to block access to known malicious URLs. 6. Monitor browser telemetry and logs for unusual frame loading or script execution patterns indicative of exploitation attempts. 7. Coordinate with IT and security teams to prioritize patch management for browsers and email clients, especially in high-risk departments. 8. Consider deploying endpoint detection and response (EDR) solutions capable of detecting anomalous browser behaviors related to XSS or CSP bypass attempts.