CVE-2022-22760 in Thunderbird
Summary
by MITRE • 12/22/2022
When importing resources using Web Workers, error messages would distinguish the difference between <code>application/javascript</code> responses and non-script responses. This could have been abused to learn information cross-origin. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/08/2026
This vulnerability represents a cross-origin information disclosure issue that emerged from the handling of error messages in Web Worker resource imports. The flaw occurred when browsers processed script resources through Web Workers and generated distinct error messages based on whether the server responded with application/javascript content type or other response types. This differential handling created a timing-based side channel that could be exploited by malicious actors to infer information about cross-origin resources.
The technical implementation of this vulnerability stems from how Firefox and Thunderbird handled HTTP responses within Web Worker contexts. When a Web Worker attempted to import a resource, the browser would generate different error message patterns depending on whether the response contained javascript content or other content types. This behavior created a covert channel that could be monitored by attackers to determine the nature of responses from cross-origin domains without direct access to those resources.
The operational impact of this vulnerability extends beyond simple information disclosure to potentially enable more sophisticated attacks. Attackers could leverage this weakness to perform cross-origin resource probing, identifying whether specific endpoints returned script content or other data types, which might reveal application structure, security configurations, or even sensitive information about the target system's architecture. This type of information leakage aligns with common attack patterns described in the attack tree framework where side-channel vulnerabilities can be exploited to bypass traditional security controls.
This vulnerability maps directly to CWE-200, Information Exposure, and more specifically to CWE-354, Improper Verification of Design, as it involves inadequate validation of resource handling behavior that creates information leakage. The flaw also relates to the attack pattern described in MITRE ATT&CK framework under T1071.004 Application Layer Protocol: DNS where attackers can use protocol behaviors to extract information about target systems. The issue affects Firefox versions prior to 97, Thunderbird versions prior to 91.6, and Firefox ESR versions prior to 91.6, indicating it was present in multiple browser implementations that shared similar Web Worker processing logic.
The mitigation strategy for this vulnerability involves implementing consistent error handling across all resource import scenarios regardless of content type. Browser vendors addressed this by ensuring that Web Worker error messages provide uniform responses when encountering cross-origin resources, eliminating the differential behavior that created the information disclosure channel. Security practitioners should ensure their systems are updated to patched versions and monitor for similar side-channel vulnerabilities in other browser components that might expose information through timing or response pattern differences.
This type of vulnerability demonstrates the complexity involved in secure web application development where seemingly benign implementation details can create security weaknesses. The issue highlights the importance of consistent error handling and the need for thorough security testing of browser components, particularly those involving cross-origin operations. The fix required changes to how browsers handle resource loading errors in Web Worker contexts, ensuring that the security implications of different response types are properly addressed through consistent messaging regardless of the content being processed.