Mozilla Thunderbird JavaScript Execution Vulnerability via Spoofed PDF Attachment

A vulnerability in Mozilla Thunderbird's handling of the X-Mozilla-External-Attachment-URL header can be exploited to execute JavaScript in the file:/// context. This issue affects Thunderbird versions prior to 128.10.1 and prior to 138.0.1. The vulnerability arises from the incorrect rendering of nested email attachments (message/rfc822) with a content type of application/pdf. When such an attachment is opened, Thunderbird may mistakenly interpret it as HTML, allowing the embedded JavaScript to execute without a file download. This behavior depends on Thunderbird automatically saving the attachment to the /tmp directory and linking to it via the file:/// protocol, which could facilitate JavaScript execution as part of the HTML.

Impact

Exploitation of this vulnerability allows for the execution of JavaScript in the file:/// context, potentially leading to unauthorized actions or access to local files, depending on the nature of the executed script.

Reproduction

To reproduce this vulnerability, create a nested email attachment of the type message/rfc822 and set its content type to application/pdf. When the email is opened in Thunderbird, the application may incorrectly render the attachment as HTML. This misinterpretation allows any embedded JavaScript to execute without requiring a file download. The vulnerability takes advantage of Thunderbird's automatic saving of attachments to the /tmp directory and the use of the file:/// protocol to link to the saved file, enabling the execution of JavaScript as part of the rendered HTML.

Remediation

Users can update to Thunderbird version 128.10.1 or 138.0.1, where this vulnerability has been fixed.