CVE-2022-22745 in Thunderbird
Summary
by MITRE • 12/22/2022
Securitypolicyviolation events could have leaked cross-origin information for frame-ancestors violations. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/20/2026
This vulnerability represents a critical information disclosure issue within the security policy enforcement mechanisms of Mozilla Firefox and Thunderbird browsers. The flaw manifests when securitypolicyviolation events are generated for frame-ancestors violations, potentially allowing cross-origin information leakage that could be exploited by malicious actors. The vulnerability specifically impacts Firefox Extended Support Release versions prior to 91.5, standard Firefox versions prior to 96, and Thunderbird versions prior to 91.5, indicating a widespread exposure across multiple Mozilla products and their supported release cycles.
The technical root cause lies in how the browser handles security policy violation events when frame-ancestors directives are violated during cross-origin navigation attempts. Frame-ancestors directives are part of Content Security Policy (CSP) that control which sources can embed a page using iframe, frame, object, or embed elements. When these directives are violated, the browser should generate securitypolicyviolation events to notify the page of the policy breach, but the implementation contained a flaw that could leak sensitive cross-origin information through these event mechanisms. This represents a violation of the fundamental security principle that cross-origin information should remain isolated and protected from unauthorized access.
The operational impact of this vulnerability extends beyond simple information disclosure, as it could enable attackers to gather intelligence about cross-origin resources and potentially facilitate more sophisticated attacks. An attacker could leverage this vulnerability to discover information about the structure and resources of cross-origin domains, potentially aiding in further exploitation attempts. The vulnerability affects the core security model of the browser, specifically undermining the isolation mechanisms that separate different origins and their associated security policies. This issue directly relates to CWE-200, which covers "Information Exposure," and could potentially enable techniques described in the ATT&CK framework under T1071.004 for Application Layer Protocol: DNS and T1566.001 for Phishing: Spearphishing Attachment, as attackers could use the leaked information to craft more convincing social engineering campaigns.
The mitigation strategy involves upgrading to the patched versions of Firefox ESR 91.5, Firefox 96, and Thunderbird 91.5, which contain the necessary fixes to properly handle security policy violation events without leaking cross-origin information. Organizations should prioritize immediate deployment of these updates across their environments, particularly in enterprise settings where browser security is critical. Additionally, administrators should review existing CSP configurations to ensure proper implementation of frame-ancestors directives and consider implementing additional monitoring for security policy violation events that may indicate attempted exploitation. The fix likely involves strengthening the isolation mechanisms around security policy event handling and ensuring that cross-origin information is properly sanitized before being exposed through violation events. This vulnerability highlights the importance of rigorous security testing for policy enforcement mechanisms and demonstrates how seemingly minor implementation flaws in security systems can have significant implications for overall browser security posture.