Mozilla Firefox and Thunderbird Same-Origin Policy Bypass Vulnerability via HTTP/2 Opportunistic Encryption

A vulnerability exists in Mozilla Firefox and Thunderbird that allows a network attacker to bypass the Same-Origin Policy on services hosted on encrypted ports that did not opt-in to HTTP/2 Opportunistic Encryption. This issue affects Firefox versions prior to 94, Thunderbird versions prior to 91.3, and Firefox ESR versions prior to 91.3. The vulnerability arises because the browser can be coaxed into treating content from a non-opted-in encrypted port as same-origin with unencrypted HTTP, potentially leading to unauthorized access to sensitive information or resources.

Impact

Exploitation of this vulnerability can lead to a Same-Origin Policy violation, allowing cross-origin access to resources on non-opted-in encrypted ports.

Reproduction

The vulnerability can be reproduced by forwarding a connection from an opted-in port (443) to a non-opted-in encrypted port (8443) on the same IP address. This can be done by manipulating DNS records to point to a server that controls the forwarding, and then using a crafted request to initiate the connection. Once the connection is established, the browser will treat the content from the non-opted-in port as same-origin with HTTP, bypassing the intended security restrictions.

Remediation

Users can upgrade to Firefox 94 or Thunderbird 91.3 to address this vulnerability.