CVE-2026-8971

Vulnerability

A same-origin policy bypass exists in the Networking: JAR component of Firefox and Thunderbird. This vulnerability allows a malicious website to bypass the same-origin policy when handling JAR (Java Archive) resources. The issue affects Firefox versions prior to 151 and Thunderbird versions prior to 151 [1][2].

Exploitation

An attacker can exploit this vulnerability by hosting a malicious website that triggers the bypass through crafted JAR content. No authentication or special network position is required; the attack can be performed remotely by luring a user to visit the malicious site. The exact sequence of steps is not publicly detailed, but the bypass occurs during the processing of JAR resources within the browser's networking layer.

Impact

Successful exploitation allows an attacker to bypass the same-origin policy, potentially enabling cross-origin data access. This could lead to disclosure of sensitive information from other origins, such as cookies, local storage, or other web content accessible within the browser context. The impact is limited to the browser's security boundaries and does not extend to the underlying operating system.

Mitigation

The vulnerability is fixed in Firefox 151 and Thunderbird 151, both released on May 19, 2026 [1][2]. Users should update to these versions or later. No workarounds are available, and the vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.