Windows XP DLL loading vulnerability — Mozilla

Security researcher Haifei Li of FortiGuard Labs reported that Firefox could be used to load a malicious code library that had been planted on a victim's computer. Firefox attempts to load dwmapi.dll upon startup as part of its platform detection, so on systems that don't have this library, such ...

Chrome privilege escalation via forced URL drag and drop — Mozilla

Security researcher Paul Stone reported that a browser applet could be used to turn a simple mouse click into a drag-and-drop action, potentially resulting in the unintended loading of resources in a user's browser. This behavior could be used twice in succession to first load a privileged chrome...

Asynchronous Auth Prompt attaches to wrong window — Mozilla

Mozilla developer Justin Dolske reported that the new asynchronous Authorization Prompt HTTP username and password was not always attached to the correct window. Although we have not demonstrated this, it may be possible for a malicious page to convince a user to open a new tab or popup to a...

Heap/integer overflows in font glyph rendering libraries — Mozilla

oCERT security researcher Will Drewry reported a series of heap and integer overflow vulnerabilities which independently affected multiple font glyph rendering libraries. On Linux platforms libpango was susceptible to the vulnerabilities while on OS X CoreGraphics was similarly vulnerable. An...

URL spoofing with invisible control characters — Mozilla

Mozilla contributor Masahiro Yamada reported that certain invisible control characters were being decoded when displayed in the location bar, resulting in fewer visible characters than were present in the actual location. An attacker could use this vulnerability to spoof the location bar and...

Heap buffer overflow in external MIME bodies — Mozilla

Security research firm iDefense reported that researcher regenrecht discovered a heap-based buffer overflow vulnerability in Mozilla mail code which could potentially allow an attacker to run arbitrary code. The vulnerability is caused by allocating a buffer that can be three bytes too small in...

Directory traversal via chrome: URI — Mozilla

Gerry Eisenhaur reported the chrome: URI scheme improperly allowed directory traversal that could be used to load JavaScript, images, and stylesheets from local files in known locations. This traversal was possible only when the browser had installed add-ons which used "flat" packaging rather tha...

XUL pages can hide the window titlebar — Mozilla

Mozilla developer Eli Friedman discovered that web pages written in the XUL markup language rather than the usual HTML can hide their window's titlebar. It may have been possible to abuse this ability to create more convincing spoof and phishing pages...

Privilege escalation using watch point — Mozilla

Shutdown demonstrated that it was possible to use a JavaScript watch to gain elevated privilege. This could be used to compromise the user's computer and install malware...

Frame spoofing using document.open() — Mozilla

shutdown demonstrated a way to inject content into a sub-frame of another site using targetWindow.framesn.document.open, making the attackers content look like it was part of the victim site. Similar in effect to MFSA 2005-51...

Privilege escalation through XUL persist. — Mozilla

In certain circumstances persisted XUL attributes are associated with the wrong URL. If an attacker can get a persisted string associated with an URL that will later eval or execute that attribute in a privileged context then the attacker's code will run with the full permissions of the browser...

Localstore.rdf XML injection through XULDocument.persist() — Mozilla

XULDocument.persist did not validate the attribute name, allowing an attacker to inject XML into localstore.rdf that would be read and acted upon at startup. This could include JavaScript commands that would be run with the permissions of the browser...

Script injection from Firefox sidebar panel using data: — Mozilla

Sites can use the search target to open links in the Firefox sidebar. A missing security check allows the sidebar to inject data: urls containing scripts into any page open in the browser. This could be used to steal cookies, passwords or other sensitive data...

PLUGINSPAGE privileged javascript execution — Mozilla

When a webpage requires a plugin that is not installed the user can click to launch the Plugin Finder Service PFS to find an appropriate plugin. If the service does not have an appropriate plugin the EMBED tag is checked for a PLUGINSPAGE attribute, and if one is found the PFS dialog will contain...

Security Vulnerability fixed in Thunderbird 131.0.1, Thunderbird 128.3.1, Thunderbird 115.16.0 — Mozilla

An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. We have had reports of this vulnerability being exploited in the wild...

Security Vulnerabilities fixed in Thunderbird 128 — Mozilla

An error in the ECMA-262 specification relating to Async Generators could have resulted in a type confusion, potentially leading to memory corruption and an exploitable crash. Clipboard code failed to check the index on an array access. This could have led to an out-of-bounds read. It was possibl...

Security Vulnerabilities fixed in Firefox for iOS 34 — Mozilla

When a download was initiated, the client did not check whether it was in normal or private browsing mode, which led to private mode cookies being shared in normal browsing mode...

Content provider permission bypass allows malicious application to access data — Mozilla

Security researcher Ken Okuyama reported an issue on Firefox for Android where a previously installed malicious application can access content provider permissions for Firefox in order to read data. This data includes browser history and locally saved passwords. This issue occurs when a list of...

Use-after-free when using multiple WebRTC data channels — Mozilla

Security researcher Dominique Hazaël-Massieux reported a use-after-free issue when using multiple WebRTC data channel connections. This causes a potentially exploitable crash when a data channel connection is freed from within a call through it...

CSP bypass due to permissive Reader mode whitelist — Mozilla

Security researcher Mario Heiderich reported an issue where the security protections of Reader mode in Firefox can be bypassed, allowing scripts to be run. Mozilla developer Frederik Braun independently discovered and reported this same issue as well. This issue happens even though Reader View...

Disabling scripts in Add-on SDK panels has no effect — Mozilla

Add-on authors Jason Hamilton and Peter Arremann with AMO editor Sylvain Giroux reported a vulnerability when a panel is created using the Add-on SDK in a browser extension. Defining a panel with script: false is supposed to disable script execution but it was found that inline script would still...

URL spoofing in reader mode — Mozilla

Security researcher Juho Nurminen reported a mechanism to spoof the URL displayed in the addressbar in reader mode by manipulating the loaded URL. This flaw allows for the URL displayed to be different than that the web content rendered. This allows for potential spoofing but the effects are...

Use-after-free in MediaStream playback — Mozilla

Security researcher SkyLined reported a use-after-free issue in how audio is handled through the Web Audio API during MediaStream playback through interactions with the Web Audio API. This results in a potentially exploitable crash...

Profile directory file access through file: protocol — Mozilla

Security researcher Yu Dongsong reported on Firefox for Android that a file: protocol hyperlink could link to a local file in the Firefox profile directory, bypassing access restrictions. This issue was previously addressed in Mozilla Foundation Security Advisory 2014-33 but not completely...

Application Installation doorhanger persists on navigation — Mozilla

Mozilla developer Myk Melez reported that with specifically timed page navigation, the doorhanger notification for Web App installation could persist from one site to another without being dismissed by the navigation. This could be used by a malicious site to trick a user into installing an...

XSS using addEventListener and setTimeout on a wrapped object — Mozilla

Mozilla security researcher mozbugra4 reports that by using an appropriately wrapped object it was possible to bypass the fix for MFSA 2007-19. Prior to Firefox 3.6 this gives an attacker the ability to perform cross-site scripting attacks against arbitrary sites as in the original MFSA 2007-19...

WOFF heap corruption due to integer overflow — Mozilla

Security researcher Evgeny Legerov of Intevydis reported that the WOFF decoder contains an integer overflow in a font decompression routine. This flaw could result in too small a memory buffer being allocated to store a downloadable font. An attacker could use this vulnerability to crash a victim...

Multiple cross origin wrapper bypasses — Mozilla

Mozilla security researcher mozbugra4 reported a series of vulnerabilities in which objects that normally receive a XPCCrossOriginWrapper are constructed without the wrapper. This can lead to cases where JavaScript from one website may unsafely access properties of such an object which had been s...

Race condition while accessing the private data of a NPObject JS wrapper class object — Mozilla

Jakob Balle and Carsten Eiram of Secunia Research reported a race condition in NPObjWrapperNewResolve when accessing the properties of a NPObject, a wrapped JSObject. Balle and Eiram demonstrated that this condition could be reached by navigating away from a web page during the loading of a Java...

XUL scripts bypass content-policy checks — Mozilla

Mozilla add-on developer and community member Wladimir Palant reported that content-loading policies were not checked before loading external script files into XUL documents. The severity of this problem would depend on the reasons behind the content policy check, which include privacy from "web...

Cross-domain data theft via script redirect error message — Mozilla

Google security researcher Chris Evans reported that a website could access a limited amount of data from a different domain by loading a same-domain JavaScript URL which redirects to an off-domain target resource containing data which is not parsable as JavaScript. Upon attempting to load the da...

XMLHttpRequest 302 response disclosure — Mozilla

Marius Schilder of Google Security reported that when a XMLHttpRequest is made to a same-origin resource which 302 redirects to a resource in a different domain, the response from the cross-domain resource is readable by the site issuing the XHR. Cookies marked HttpOnly were not readable, but oth...

Image stealing via canvas and HTTP redirect — Mozilla

Mozilla developer Georgi Guninski reported that the canvas element could be used in conjunction with an HTTP redirect to bypass same-origin restrictions and gain access to the content in arbitrary images from other domains. This vulnerability could be used by an attacker to steal private...

Web forgery overwrite with div overlay — Mozilla

Security researchers Emil Ljungdahl and Lars-Olof Moilanen demonstrated that, in cases where the entire contents of a page are enclosed in a with absolute positioning, a web forgery warning dialog won't be displayed unless the user switches tabs away-from then back-to the forgery page...

XPCNativeWraper pollution using Script object — Mozilla

Mozilla security researcher mozbugra4 reported that it was possible to use the Script object to modify XPCNativeWrappers in such a way that subsequent access by the browser chrome--such as by right-clicking to open a context menu--can cause attacker-supplied javascript to run with the same...

Crashes with evidence of memory corruption (rv:1.8.1.5) — Mozilla

As part of the Firefox 2.0.0.5 update releases Mozilla developers fixed many bugs to improve the stability of the product. Some of these crashes that showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited t...

Frame spoofing while window is loading — Mozilla

Ronen Zilberman and Michal Zalewski both reported that it was possible to exploit a timing issue to inject content into about:blank frames in a page. When opening a window from a script, it is possible to spoof the content of the newly opened window's frames within a short time frame, while the...

Information disclosure through cache collisions — Mozilla

Aad reported that two web pages can collide in the disk cache with the result that depending on order loaded the end of the longer document can be appended to the shorter when the shorter is reloaded from the cache. It is possible a determined hacker could construct a targeted attack to steal som...

XSS using outer window's Function object — Mozilla

mozbugra4 demonstrated that the Function prototype regression described in bug 355161 could be exploited to bypass the protections against cross site script XSS injection, which could be used to steal credentials or sensitive data from arbitrary sites or perform destructive actions on behalf of a...

XSS with XPCNativeWrapper(window).Function(...) — Mozilla

shutdown reports that cross-site scripting XSS attacks could be performed using the construct XPCNativeWrapperwindow.Function..., which created a function that appeared to belong to the window in question even after it had been navigated to the target site...

Heap buffer overwrite on malformed VCard — Mozilla

A VCard attachment with a malformed base64 field such as a photo can trigger a heap buffer overwrite. These have proven exploitable in the past, though in this case the overwrite is accompanied by an integer underflow that would attempt to copy more data than the typical machine has, leading to a...

Native DOM methods can be hijacked across domains — Mozilla

A malicious page can hijack native DOM methods on a document object in another domain, which will run the attacker's script when called by the victim page. This could be used to steal login cookies, password, or other sensitive data on the target page, or to perform actions on behalf of a logged-...

Privilege escalation using crypto.generateCRMFRequest — Mozilla

shutdown demonstrated that the crypto.generateCRMFRequest method can be used to run arbitrary code with the privilege of the user, which could enable an attacker to install malware...

File stealing by changing input type — Mozilla

Claus Jörgensen reports that a text input box can be pre-filled with a filename and then turned into a file-upload control with the contents intact, allowing a malicious website the ability to steal any local file whose name they can guess...

Changing position:relative to static corrupts memory — Mozilla

Dynamically changing the style of an element from position:relative to position:static can cause Gecko to operate on freed memory. It may be possible to exploit this in order to run arbitrary code...

Security Vulnerabilities fixed in Firefox ESR 128.8 — Mozilla

In resizeToAtLeast of SkRegion.cpp, there was a possible out of bounds write due to an integer overflow On Windows, a compromised content process could use bad StreamData sent over AudioIPC to trigger a use-after-free in the Browser process. This could have led to a sandbox escape. It was possibl...

Security Vulnerabilities fixed in Firefox ESR 102.6 — Mozilla

A missing check related to tex units could have led to a use-after-free and potentially exploitable crash. An attacker who compromised a content process could have partially escaped the sandbox to read arbitrary files via clipboard-related IPC messages.This bug only affects Firefox for Linux. Oth...

Security Vulnerabilities fixed in Firefox for iOS 101 — Mozilla

The search term could have been specified externally to trigger SQL injection...

Security Vulnerabilities fixed in Firefox ESR 68.5 — Mozilla

A content process could have modified shared memory relating to crash reporting information, crash itself, and cause an out-of-bound write. This could have caused memory corruption and a potentially exploitable crash. By downloading a file with the .fileloc extension, a semi-privileged extension...

Security vulnerabilities fixed in - Thunderbird 68.1.1 — Mozilla

A crafted S/MIME message consisting of an inner encryption layer and an outer SignedData layer was shown as having a valid digital signature, although the signer might have had no access to the contents of the encrypted message, and might have stripped a different signature from the encrypted...