CVE-2024-8382

NameCVE-2024-8382
DescriptionInternal browser event interfaces were exposed to web content when privileged EventHandler listener callbacks ran for those events. Web content that tried to use those interfaces would not be able to use them with elevated privileges, but their presence would indicate certain browser features had been used, such as when a user opened the Dev Tools console. This vulnerability affects Firefox < 130, Firefox ESR < 128.2, Firefox ESR < 115.15, Thunderbird < 128.2, and Thunderbird < 115.15.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3869-1, DLA-3882-1, DSA-5765-1, DSA-5767-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
firefox (PTS)sid132.0.2-1fixed
firefox-esr (PTS)bullseye115.14.0esr-1~deb11u1vulnerable
bullseye (security)128.4.0esr-1~deb11u1fixed
bookworm128.3.1esr-1~deb12u1fixed
bookworm (security)128.4.0esr-1~deb12u1fixed
sid, trixie128.4.0esr-1fixed
thunderbird (PTS)bullseye1:115.12.0-1~deb11u1vulnerable
bullseye (security)1:128.4.3esr-1~deb11u1fixed
bookworm1:115.16.0esr-1~deb12u1fixed
bookworm (security)1:128.4.3esr-1~deb12u1fixed
sid, trixie1:128.4.3esr-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
firefoxsource(unstable)130.0-1
firefox-esrsourcebullseye115.15.0esr-1~deb11u1DLA-3869-1
firefox-esrsourcebookworm115.15.0esr-1~deb12u1DSA-5765-1
firefox-esrsource(unstable)115.15.0esr-1
thunderbirdsourcebullseye1:115.15.0-1~deb11u1DLA-3882-1
thunderbirdsourcebookworm1:115.15.0-1~deb12u1DSA-5767-1
thunderbirdsource(unstable)1:128.2.0esr-1

Notes

https://www.mozilla.org/en-US/security/advisories/mfsa2024-39/#CVE-2024-8382
https://www.mozilla.org/en-US/security/advisories/mfsa2024-41/#CVE-2024-8382
https://www.mozilla.org/en-US/security/advisories/mfsa2024-43/#CVE-2024-8382
https://www.mozilla.org/en-US/security/advisories/mfsa2024-44/#CVE-2024-8382
Search for package or bug name: Reporting problems