Primary

Context

Mozilla Thunderbird and Firefox Process Isolation Vulnerability via Cross-Origin 'javascript:' URIs

Vulnerability

Patched

A process isolation vulnerability has been identified in Mozilla Thunderbird and Firefox. This vulnerability arises from improper handling of 'javascript:' URIs, which can allow content to execute in the top-level document's process instead of the intended frame. Such a flaw could potentially enable a sandbox escape. The issue affects multiple versions of Firefox and Thunderbird, particularly those prior to version 138 and certain Firefox ESR releases.

Impact

Exploitation of this vulnerability could lead to a process isolation bypass, allowing content to execute in a privileged context and potentially escape sandbox restrictions.

Remediation

Users can update to Thunderbird 138, Firefox 138, or the relevant Firefox ESR versions to address this vulnerability.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

8.4

impact

7.5

exploitability

4.4

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

8.4

impact

7.5

exploitability

4.4

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Mozilla Thunderbird and Firefox Process Isolation Vulnerability via Cross-Origin 'javascript:' URIs

Vulnerability

Impact

Remediation

Affected Products

Mozilla Thunderbird

Mozilla Firefox

Mozilla Firefox ESR

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating