In violation of spec, cookie prefixes such as `__Secure` were being ignored if they were not correctly capitalized - by spec they should be checked with a case-insensitive comparison. This could have resulted in the browser not correctly honoring the behaviors specified by the prefix. This vulnerability affects Firefox < 127.
According to the specification, cookie prefixes such as `__Secure` should be recognized using case-insensitive comparison. Firefox incorrectly ignored these prefixes if they were not written with the exact required capitalization, which constitutes a specification violation (CWE-178). As a result, protective mechanisms enforced by the prefixes — such as requiring the Secure flag — were not enforced by the browser. An attacker could potentially set or modify cookies in a way that should be blocked by these prefixes.
An attacker could bypass security measures related to cookie prefixes, which could result in unauthorized access to protected resources, disclosure of sensitive data, or violation of user session integrity.
Mozilla Firefox browser should be updated to version 127 or newer. Details available in the security advisory from the vendor: https://www.mozilla.org/security/advisories/mfsa2024-25/
Mozilla Firefox in versions earlier than 127
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HMozilla Firefox
APPMozilla< 127.0
Related vulnerabilities
Use-after-free w Animation timelines Firefox/Thunderbird — RCE
An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escap...
Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes ...
Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before...
Memory safety bugs present in Firefox 152.0.3. Some of these bugs showed evidence of memory corruption and we ...