CVE-2024-9393 is a vulnerability in Mozilla Firefox and Thunderbird involving the PDF.js component, which is responsible for rendering PDF documents within the browser. The flaw arises from improper handling of multipart HTTP responses that can be crafted by an attacker to execute arbitrary JavaScript code under the resource://pdf.js origin. This origin is normally trusted to render PDF content securely. By exploiting this, an attacker can bypass same-origin policy restrictions and gain unauthorized access to PDF contents from different origins. On desktop platforms, Firefox's Site Isolation feature limits this cross-origin access to documents within the same site, reducing the scope of the attack. However, on Android versions of Firefox, this isolation is not enforced, allowing full cross-origin access to PDF content. The vulnerability affects Firefox versions below 131, ESR versions below 128.3 and 115.16, and Thunderbird versions below 128.3 and 131. The CVSS v3.1 base score is 7.5 (high), reflecting network attack vector, no required privileges or user interaction, and high confidentiality impact. The vulnerability is classified under CWE-346 (Origin Validation Error), indicating a failure to properly validate the origin of content. No patches or exploits are currently publicly available, but the risk is significant due to the ability to access sensitive PDF data across origins, potentially exposing confidential information.

For European organizations, this vulnerability poses a substantial risk to the confidentiality of sensitive PDF documents accessed via Firefox or Thunderbird, especially on Android devices where cross-origin restrictions are not enforced. Organizations handling confidential contracts, personal data, or intellectual property in PDF format could have this information exposed to malicious actors through crafted web responses. The lack of required privileges or user interaction means attackers can exploit this remotely and silently, increasing the risk of data leakage. Sectors such as finance, legal, healthcare, and government, which frequently use PDF documents for sensitive communications, are particularly vulnerable. Additionally, the widespread use of Firefox in Europe, including on mobile devices, increases the potential attack surface. The vulnerability could facilitate espionage, data theft, or unauthorized data harvesting, impacting compliance with GDPR and other data protection regulations.

European organizations should immediately inventory Firefox and Thunderbird deployments to identify affected versions, particularly on Android devices. Until patches are released, organizations should consider the following mitigations: 1) Enforce policies to restrict or monitor the use of Firefox and Thunderbird on Android devices, especially for handling sensitive PDF documents. 2) Use network-level controls such as web proxies or content filters to block or inspect suspicious multipart HTTP responses that could exploit this vulnerability. 3) Educate users about the risk of opening PDF documents from untrusted or unknown sources within Firefox or Thunderbird. 4) Where possible, disable or restrict the use of PDF.js rendering in browsers or use alternative PDF viewers that do not rely on vulnerable components. 5) Monitor Mozilla security advisories closely and apply official patches immediately upon release. 6) Employ endpoint detection and response (EDR) solutions to detect anomalous JavaScript execution patterns related to resource://pdf.js origin. These targeted mitigations go beyond generic advice by focusing on the specific attack vector and affected platforms.