CVE-2024-53755 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the Andrea Pernici Third Party Cookie Eraser browser extension, affecting all versions up to and including 1.0.2. The vulnerability allows an attacker to trick an authenticated user into executing unwanted actions on the extension's interface or backend by leveraging the user's active session. This CSRF flaw can be chained with Stored Cross-Site Scripting (XSS), enabling attackers to inject malicious scripts that persist within the extension's data or the browser context. Stored XSS can lead to session hijacking, credential theft, or further malware distribution. The absence of a CVSS score indicates that the vulnerability has not yet been fully assessed, but the combination of CSRF and Stored XSS significantly raises the risk profile. No patches or fixes have been published at the time of disclosure, and no known exploits are currently active in the wild. The vulnerability affects users who have installed the Third Party Cookie Eraser extension, which is designed to remove third-party cookies to enhance privacy. The attack vector requires the victim to visit a malicious website or click on a crafted link, which then triggers the CSRF attack. The lack of anti-CSRF protections and insufficient input sanitization in the extension are the root causes. This vulnerability highlights the risks associated with browser extensions that handle sensitive data and perform actions on behalf of users without adequate security controls.

The impact of CVE-2024-53755 is significant for users and organizations relying on the Andrea Pernici Third Party Cookie Eraser extension for privacy protection. Successful exploitation can lead to persistent Stored XSS attacks, allowing attackers to execute arbitrary JavaScript in the context of the extension or the browser, potentially stealing sensitive information such as cookies, session tokens, or personal data. This compromises user confidentiality and integrity. Additionally, the CSRF aspect allows attackers to perform unauthorized actions without user consent, which could alter extension settings or behavior, undermining privacy protections. For organizations, this could lead to data breaches, loss of user trust, and compliance violations, especially in sectors handling sensitive or regulated data. The vulnerability could also be leveraged as a foothold for further attacks within corporate environments if users have the vulnerable extension installed. Since no authentication bypass is required beyond the victim being logged in and using the extension, the attack surface is broad. The lack of known exploits currently limits immediate widespread impact, but the potential for damage once exploited is high.

To mitigate CVE-2024-53755, users and administrators should monitor for official patches or updates from Andrea Pernici and apply them promptly once available. Until a patch is released, users should consider disabling or uninstalling the Third Party Cookie Eraser extension to eliminate exposure. Developers should implement robust anti-CSRF tokens to validate the legitimacy of requests and prevent unauthorized actions. Additionally, input validation and output encoding must be enforced to prevent Stored XSS vulnerabilities by sanitizing all user-controllable inputs and stored data. Security teams should audit browser extensions for similar weaknesses and educate users about the risks of installing unvetted extensions. Network-level protections such as Content Security Policy (CSP) can help mitigate the impact of XSS by restricting script execution. Organizations should also employ endpoint detection and response (EDR) tools to monitor for suspicious browser activity that could indicate exploitation attempts. Regular security assessments of browser extensions and their update mechanisms are recommended to prevent future vulnerabilities.