Primary

Context

Mozilla Thunderbird and Firefox JavaScript URL Execution Vulnerability in Object and Embed Tags

Vulnerability

Patched

A vulnerability exists in Mozilla Thunderbird and Firefox that allows the execution of 'javascript:' URLs when they are used in 'object' and 'embed' tags. This issue is present in Thunderbird and Firefox versions prior to 141, as well as in Firefox ESR versions prior to 128.13 and 140.1.

Impact

Exploitation of this vulnerability could lead to the execution of arbitrary JavaScript code in the context of the user.

Remediation

Users can upgrade to Thunderbird 141, Firefox 141, or Firefox ESR 128.13 or 140.1 to address this vulnerability.

Added: Jul 22, 2025, 9:50 PM

Updated: Jul 22, 2025, 9:50 PM

Vulnerability Rating

Custom Algorithm

spread

8.4

impact

1.7

exploitability

4.4

remediation

7.7

relevance

0.3

threat

0.0

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

8.4

impact

1.7

exploitability

4.4

remediation

7.7

relevance

0.3

threat

0.0

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Mozilla Thunderbird and Firefox JavaScript URL Execution Vulnerability in Object and Embed Tags

Vulnerability

Impact

Remediation

Affected Products

Mozilla Firefox

Mozilla Firefox ESR

Mozilla Thunderbird

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating