Analysis Summary

CVE-2024-8399 CVSS:6.5

Mozilla Focus for iOS could allow a remote attacker to conduct spoofing attacks, caused by an error related to using Javascript links. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to spoof URL addresses in the Focus navigation bar.

CVE-2024-8382 CVSS:6.5

Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by the exposure of internal event interfaces to Web content when browser EventHandler listener callbacks ran. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to obtain sensitive information.

CVE-2024-8384 CVSS:6.5

Mozilla Firefox could allow a remote attacker to bypass security restrictions. The JavaScript garbage collector could mis-color cross-compartment objects if OOM conditions were detected at the right point between two passes. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to bypass security restrictions.

CVE-2024-8388 CVSS:6.5

Mozilla Firefox for Android could allow a remote attacker to conduct spoofing attacks, caused by the obscuring of the notification announcing the transition to fullscreen mode. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to spoof the browser UI.

Impact

• Gain Access
• Information Disclosure

Indicators of Compromise

CVE

• CVE-2024-8399
• CVE-2024-8382
• CVE-2024-8384
• CVE-2024-8388

Affected Vendors

Affected Products

• Mozilla Focus for iOS - 129.00
• Mozilla Firefox - 129.00
• Mozilla Firefox ESR - 128.1
• Mozilla Firefox ESR - 115.14

Remediation

Refer to Mozilla Foundation Security Advisory for patch, upgrade or suggested workaround information.

CVE-2024-8399

CVE-2024-8382

CVE-2024-8384

CVE-2024-8388