Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2024-11694

CVE-2024-11694: Mozilla Firefox DOM-based XSS Vulnerability

CVE-2024-11694 is a DOM-based XSS flaw in Mozilla Firefox that allows CSP frame-src bypass through the Google SafeFrame shim. This article covers the technical details, affected versions, security impact, and mitigation.

Published:

CVE-2024-11694 Overview

CVE-2024-11694 is a Cross-Site Scripting (XSS) vulnerability affecting Mozilla Firefox and Thunderbird products. Enhanced Tracking Protection's Strict mode may have inadvertently allowed a Content Security Policy (CSP) frame-src bypass and DOM-based XSS through the Google SafeFrame shim in the Web Compatibility extension. This issue could have exposed users to malicious frames masquerading as legitimate content, potentially allowing attackers to inject and execute malicious scripts in the context of the affected browser or email client.

Critical Impact

Users with Enhanced Tracking Protection in Strict mode could be vulnerable to DOM-based XSS attacks through the Google SafeFrame shim, allowing malicious actors to bypass CSP protections and potentially steal sensitive information or perform actions on behalf of the user.

Affected Products

  • Mozilla Firefox < 133
  • Mozilla Firefox ESR < 128.5 and < 115.18
  • Mozilla Thunderbird < 133, < 128.5, and < 115.18

Discovery Timeline

  • 2024-11-26 - CVE-2024-11694 published to NVD
  • 2025-11-03 - Last updated in NVD database

Technical Details for CVE-2024-11694

Vulnerability Analysis

This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting (XSS). The flaw exists within the Web Compatibility extension's implementation of the Google SafeFrame shim, which is designed to provide a secure container for serving advertisements. When Enhanced Tracking Protection is set to Strict mode, the extension's SafeFrame implementation fails to properly enforce CSP frame-src directives, creating an unintended pathway for DOM-based XSS attacks.

The vulnerability requires user interaction to exploit, as victims must visit a malicious webpage or receive crafted content that leverages this bypass. Once exploited, attackers can execute arbitrary JavaScript within the security context of the affected application, potentially leading to session hijacking, credential theft, or manipulation of displayed content.

Root Cause

The root cause stems from improper handling of frame sources within the Google SafeFrame shim component of the Web Compatibility extension. When Enhanced Tracking Protection operates in Strict mode, the extension's logic for managing SafeFrame content inadvertently creates an exception that allows frames from untrusted sources to bypass the CSP frame-src directive. This occurs because the shim does not properly validate or sanitize frame origins before rendering content, leading to a DOM-based XSS condition where malicious scripts can be injected and executed.

Attack Vector

The attack vector is network-based and requires user interaction. An attacker can exploit this vulnerability by crafting a malicious webpage that leverages the SafeFrame shim bypass. When a user with Enhanced Tracking Protection in Strict mode visits the attacker-controlled page, the malicious content can bypass CSP restrictions and execute arbitrary JavaScript within the browser context.

The attack flow involves:

  1. Attacker creates a webpage containing a specially crafted frame that exploits the SafeFrame shim
  2. Victim with Enhanced Tracking Protection in Strict mode visits the malicious page
  3. The malicious frame bypasses CSP frame-src restrictions through the vulnerability
  4. DOM-based XSS payload executes in the context of the victim's browser session
  5. Attacker can steal session tokens, redirect users, or perform other malicious actions

Due to the DOM-based nature of this XSS vulnerability, the malicious payload is processed entirely on the client side, making server-side filtering ineffective. The vulnerability affects both browsing sessions in Firefox and email rendering in Thunderbird, expanding the potential attack surface.

Detection Methods for CVE-2024-11694

Indicators of Compromise

  • Unexpected iframe elements appearing on webpages that should be blocked by CSP policies
  • Browser console errors indicating CSP violations followed by successful frame loading
  • Unusual JavaScript execution originating from third-party frame sources
  • Network traffic to suspicious domains embedded within SafeFrame containers

Detection Strategies

  • Monitor browser extension behavior for anomalous frame loading patterns that bypass configured CSP directives
  • Implement Content Security Policy reporting (report-uri or report-to directives) to capture and analyze CSP violation attempts
  • Deploy endpoint detection solutions capable of identifying DOM manipulation attempts and suspicious script execution
  • Analyze web traffic logs for patterns consistent with XSS payload delivery through frame injection

Monitoring Recommendations

  • Enable CSP violation reporting to a centralized logging system for analysis of bypass attempts
  • Configure SIEM rules to alert on patterns of frame-based content injection followed by unexpected script execution
  • Monitor for browser versions that fall within the vulnerable range (Firefox < 133, Firefox ESR < 128.5/115.18, Thunderbird < 133/128.5/115.18)
  • Implement browser telemetry collection to identify potential exploitation attempts across the organization

How to Mitigate CVE-2024-11694

Immediate Actions Required

  • Update Mozilla Firefox to version 133 or later immediately
  • Update Mozilla Firefox ESR to version 128.5 or 115.18 or later
  • Update Mozilla Thunderbird to version 133, 128.5, or 115.18 or later
  • Review Enhanced Tracking Protection settings and consider temporarily switching to Standard mode until patches are applied
  • Audit systems for vulnerable browser versions using software inventory tools

Patch Information

Mozilla has released security patches addressing this vulnerability across multiple product lines. Organizations should apply the following updates as documented in the official Mozilla Security Advisories:

For technical details on the underlying bug, refer to Mozilla Bug Report #1924167. Debian users should also review the Debian LTS Announcement for distribution-specific guidance.

Workarounds

  • Temporarily disable the Web Compatibility extension if the feature is not critical to operations
  • Switch Enhanced Tracking Protection from Strict mode to Standard mode until patches can be applied
  • Implement additional CSP headers at the web application level to provide defense-in-depth
  • Use browser isolation or containerization technologies to limit the impact of potential exploitation
  • Consider using browser security extensions that provide additional XSS protection mechanisms
bash
# Check Firefox version from command line
firefox --version

# Check Thunderbird version from command line
thunderbird --version

# For enterprise deployments, use policies.json to enforce updates
# Location: /distribution/policies.json (Linux) or installation directory (Windows)
# Example policy to disable Web Compatibility extension temporarily:
# {
#   "policies": {
#     "Extensions": {
#       "Locked": ["webcompat@mozilla.org"]
#     }
#   }
# }

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.