Permission prompts for opening external schemes were only shown for <code>ContentPrincipals</code> resulting in extensions being able to open them without user interaction via <code>ExpandedPrincipals</code>. This could lead to further malicious actions such as downloading files or interacting with software already installed on the system. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8.
CPE | Name | Operator | Version |
---|---|---|---|
firefox | lt | 110.0 | |
firefox_esr | lt | 102.8 | |
thunderbird | lt | 102.8 |