CVE-2024-9394 is a vulnerability in Mozilla Firefox and Thunderbird involving cross-origin access to JSON content through multipart HTTP responses. An attacker can craft a multipart response that causes the browser to execute arbitrary JavaScript code under the privileged resource://devtools origin. This origin typically has elevated privileges and is not normally accessible to web content. On desktop Firefox clients, the Site Isolation feature restricts this vulnerability to same-site documents, limiting the scope of cross-origin data exposure. However, on Android versions of Firefox, the vulnerability allows full cross-origin access, significantly increasing the risk of data leakage. The vulnerability affects Firefox versions prior to 131, ESR versions prior to 128.3 and 115.16, and Thunderbird versions prior to 128.3 and 131. The root cause is improper parsing and handling of multipart responses, which leads to execution of injected JavaScript and unauthorized access to JSON data from other origins. The CVSS 3.1 base score is 6.1, reflecting a medium severity with network attack vector, low attack complexity, no privileges required, but requiring user interaction and impacting confidentiality and integrity. There are no known exploits in the wild at the time of publication. This vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), indicating a cross-site scripting-like issue. The flaw could be exploited by tricking a user into visiting a malicious site or receiving a malicious response that triggers the multipart parsing flaw, leading to data exposure and script execution in a privileged context.

For European organizations, this vulnerability poses a risk of sensitive data exposure and potential unauthorized actions within Firefox and Thunderbird environments. Since Firefox is widely used across Europe for both personal and enterprise purposes, the ability to execute arbitrary JavaScript under a privileged origin could lead to theft of confidential JSON data, session tokens, or other sensitive information accessible via cross-origin requests. The impact is more severe on Android devices, which are prevalent in Europe, as full cross-origin access is possible, increasing the risk of data leakage from mobile users. Organizations relying on Thunderbird for email may also be at risk of similar exploitation vectors. The vulnerability could be leveraged in targeted phishing or watering hole attacks to compromise user data or perform further attacks within the network. Although no known exploits exist yet, the medium severity and ease of network exploitation with user interaction make timely patching critical to prevent potential data breaches and integrity violations.

European organizations should prioritize updating Firefox and Thunderbird to the latest patched versions (Firefox 131 or later, ESR 128.3 or later, Thunderbird 131 or later) as soon as updates become available. Until patches are applied, organizations should implement network-level controls to block or inspect suspicious multipart HTTP responses, especially from untrusted or external sources. Security teams should educate users about the risks of interacting with untrusted links or sites that could deliver malicious multipart responses. Deploying endpoint protection solutions capable of detecting anomalous browser behaviors related to script execution under privileged origins can provide additional defense. On Android devices, enforcing strict app update policies and restricting installation of untrusted applications can reduce exposure. Monitoring browser telemetry and logs for unusual resource://devtools activity may help detect exploitation attempts. Finally, organizations should review and enhance their web content security policies and consider disabling or restricting features that allow resource://devtools origin script execution if feasible.