Security Vulnerabilities fixed in Firefox for iOS 151.0 — Mozilla

Firefox for iOS hosted Reader mode on an unauthenticated local web server, allowing another application on the same device to request arbitrary URLs and receive the response rendered with the signed-in user's cookies...

Security Vulnerabilities fixed in Firefox ESR 115.35 — Mozilla

Memory safety bugs present in Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird 149. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code...

Security Vulnerabilities fixed in Firefox 137 — Mozilla

JavaScript code running while transforming a document with the XSLTProcessor could lead to a use-after-free. An attacker could read 32 bits of values spilled onto the stack in a JIT compiled function. Leaking of file descriptors from the fork server to web content processes could allow for...

Security Vulnerabilities fixed in Firefox 135.0.1 — Mozilla

Memory safety bugs present in Firefox 135. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code...

Mis-issued ANSSI/DCSSI certificate — Mozilla

Google notified Mozilla that an intermediate certificate, which chains up to a root included in Mozilla’s root store, was loaded into a man-in-the-middle MITM traffic management device. This certificate was issued by Agence nationale de la sécurité des systèmes d'information ANSSI, an agency of t...

Inferring keystrokes from motion data — Mozilla

University of California, Davis researchers Liang Cai and Hao Chen presented a paper at the 2011 USENIX HotSec workshop on inferring keystrokes from device motion data on mobile devices. Web pages can now receive data similar to the apps studied in that paper and likely present a similar risk. We...

Crash viewing multipart/alternative message with text/enhanced part — Mozilla

Bernd Jendrissek reported a crash in Thunderbird when viewing a multipart/alternative mail message with a text/enhanced part. Internally this led to operations on an unexpected type of object resulting in a crash which may be exploitable...

file: URIs inherit chrome privileges when opened from chrome — Mozilla

Security researcher Luke Bryan reported that file: URIs are given chrome privileges when opened in the same tab as a chrome page or privileged about: page. This vulnerability could be used by an attacker to run arbitrary JavaScript with chrome privileges. The severity of this issue was determined...

Secure-site spoof (requires security warning dialog) — Mozilla

Tristor reports that it was possible to spoof the browser's secure-site indicators the lock icon, the site name in the URL field, the gold URL field background in Firefox by first loading the target secure site in a pop-up window, then changing its location to a different site...

XSLT can include stylesheets from arbitrary hosts — Mozilla

xsl:include and xsl:import can include XSLT stylesheets from arbitrary domains including those behind the user's firewall. This at least allows for existence checking of these files; it's not clear how much, if any, data could be extracted from arbitrary XML files...

Security Vulnerabilities fixed in Firefox for iOS 152.0 — Mozilla

Firefox for iOS used partial domain matching when attaching cookies to PDF requests, allowing a malicious site on a suffix domain to receive cookies belonging to the target site. Firefox for iOS preserved cookies set on the initial PDF request across cross-origin HTTP redirects in...

Security Vulnerabilities fixed in Firefox 151.0.3 — Mozilla

CVE-2026-10701: Incorrect boundary conditions in the Graphics: Text component Reporter taiho kim Impact high References Bug 2038537 CVE-2026-10702: JIT miscompilation in the JavaScript Engine: JIT component Reporter Nebula Security Impact high References Bug 2040903...

Security Vulnerabilities fixed in Thunderbird 151 — Mozilla

Memory safety bugs present in Thunderbird 150. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. Memory safety bugs present in Thunderbird 140.10 and Thunderbird 150. Some of these bugs...

Security Vulnerabilities fixed in Firefox 151 — Mozilla

Memory safety bugs present in Firefox 150. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. Memory safety bugs present in Firefox ESR 140.10 and Firefox 150. Some of these bugs showed...

Security Vulnerabilities fixed in Firefox 150 — Mozilla

Memory safety bugs present in Firefox 149 and Thunderbird 149. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. Memory safety bugs present in Firefox ESR 115.34, Firefox ESR 140.9,...

Security Vulnerabilities fixed in Firefox 139.0.4 — Mozilla

Certain canvas operations could have lead to memory corruption. An integer overflow was present in OrderedHashTable used by the JavaScript engine...

Security Vulnerabilities fixed in Thunderbird 138.0.1 — Mozilla

Thunderbird parses addresses in a way that can allow sender spoofing in case the server allows an invalid From address to be used. For example, if the From header contains an invalid value "Spoofed Name [email protected] [email protected]", Thunderbird treats [email protected] as the...

Security Vulnerabilities fixed in Thunderbird 115.18 — Mozilla

Certain WebGL operations on Apple silicon M series devices could have lead to an out-of-bounds write and memory corruption due to a flaw in Apple's GPU driver. This bug only affected the application on Apple M series hardware. Other platforms were unaffected. Enhanced Tracking Protection's Strict...

Security Vulnerabilities fixed in Thunderbird 128.5.2 — Mozilla

The Matrix specification demands homeservers to perform validation of the server-name and media-id components of MXC URIs with the intent to prevent path traversal. However, it is not mentioned that a similar check must also be performed on the client to prevent client-side path traversal...

Security Vulnerabilities fixed in Thunderbird 128.5 — Mozilla

Certain WebGL operations on Apple silicon M series devices could have lead to an out-of-bounds write and memory corruption due to a flaw in Apple's GPU driver. This bug only affected the application on Apple M series hardware. Other platforms were unaffected. An attacker could cause a select...

Security Vulnerabilities fixed in Firefox 133 — Mozilla

Certain WebGL operations on Apple silicon M series devices could have lead to an out-of-bounds write and memory corruption due to a flaw in Apple's GPU driver. This bug only affected the application on Apple M series hardware. Other platforms were unaffected. Malicious websites may have been able...

Security Vulnerabilities fixed in Firefox ESR 128.4 — Mozilla

A permission leak could have occurred from a trusted site to an untrusted site via embed or object elements. An attacker could have caused a use-after-free when accessibility was enabled, leading to a potentially exploitable crash. The origin of an external protocol handler prompt could have been...

Security Vulnerabilities fixed in Firefox ESR 128.3 — Mozilla

A compromised content process could have allowed for the arbitrary loading of cross-origin pages. An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the resource://pdf.js origin. This could allow them to access cross-origin PDF content. This access i...

Security Vulnerabilities fixed in Firefox for iOS 129 — Mozilla

Long pressing on a download link could potentially provide a means for cross-site scripting The contextual menu for links could provide an opportunity for cross-site scripting attacks When a user scans a QR Code with the QR Code Scanner feature, the user is not prompted before being navigated to...

Arbitrary code execution from Firefox sidebar panel II — Mozilla

Sites can use the search target to open links in the Firefox sidebar. Two missing security checks allow malicious scripts to first open a privileged page such as about:config and then inject script using a javascript: url. This could be used to install malicious code or steal data without user...

SSL "secure site" indicator spoofing — Mozilla

Various schemes were reported that could cause the "secure site" lock icon to appear and show certificate details for the wrong site. These could be used by phishers to make their spoofs look more legitimate, particularly in windows that hide the address bar showing the true location...

Overwrite arbitrary files downloading .lnk twice — Mozilla

If a windows user can be convinced to download a .lnk file twice to the same location an attacker can overwrite essentially delete arbitrary files on the user's machine: the file referenced by the first .lnk will be overwritten by the second download rather than replacing the .lnk itself. On some...

Link opened in new tab can load a local file — Mozilla

Links with a custom getter and toString method can bypass checks intended to prevent web content from linking to local files and "chrome" URIs if the user can be convinced to middle-click or control-click to open it in a new tab. The browser's "same-origin" policy prevents the attacker's content...

Security Vulnerabilities fixed in Firefox for iOS 151.2 — Mozilla

Firefox for iOS Reader View replaced page content in its HTML template before replacing other internal placeholders. A malicious page could include a placeholder string that was later substituted with JSON-LD data, potentially resulting in arbitrary JavaScript execution. Firefox for iOS Reader Vi...

Security Vulnerabilities fixed in Firefox for iOS 151.1 — Mozilla

Firefox for iOS displayed specially crafted right-to-left RTL and internationalized domain names IDNs incorrectly in link preview UI surfaces. A crafted RTL hostname could visually reorder portions of the displayed domain, causing attacker-controlled sites to appear as trusted origins...

Security Vulnerabilities fixed in Firefox ESR 128.10.1 — Mozilla

An attacker was able to perform an out-of-bounds read or write on a JavaScript Promise object. An attacker was able to perform an out-of-bounds read or write on a JavaScript object by confusing array index sizes...

Security Vulnerabilities fixed in Firefox ESR 115.23 — Mozilla

Mozilla Firefox's update mechanism allowed a medium-integrity user process to interfere with the SYSTEM-level updater by manipulating the file-locking behavior. By injecting code into the user-privileged process, an attacker could bypass intended access controls, allowing SYSTEM-level file...

Security Vulnerabilities fixed in Thunderbird 136 — Mozilla

Certain crafted MIME email messages that claimed to contain an encrypted OpenPGP message, which instead contained an OpenPGP signed message, were wrongly shown as being encrypted. When requesting an OpenPGP key from a WKD server, an incorrect padding size was used and a network observer could hav...

Exploitable crash in InstallVersion.compareTo — Mozilla

When InstallVersion.compareTo is passed an object rather than a string it assumed the object was another InstallVersion without verifying it. When passed a different kind of object the browser would generally crash with an access violation...

Unsafe /tmp/plugtmp directory exploitable to erase user's files — Mozilla

A predictable name is used for the plugin temporary directory. A malicious local user could symlink this to the victim's home directory and wait for the victim to run Firefox. When Firefox shuts down the victim's directory would be erased...

Autocomplete data leak — Mozilla

As users downarrow through autocomplete choices each is copied in turn into the input control. A malicious site could create a page that autocompletes some common data such as phone number or SSN and potentially convince a user to arrow through the values. Script on the page could watch the value...

Mail responds to cookie requests — Mozilla

Mozilla mail clients from March to December 2004 responded to cookie requests accompanying content loaded over HTTP, ignoring the setting of the preference "network.cookie.disableCookieForMailNews" disabled cookies are the default in mail...

Security Vulnerabilities fixed in Firefox 150.0.2 — Mozilla

Memory safety bugs present in Firefox ESR 115.35.1, Firefox ESR 140.10.1 and Firefox 150.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. Memory safety bugs present in Firefox 150.0.1...

Security Vulnerabilities fixed in Firefox ESR 115.24 — Mozilla

A double-free could have occurred in vpxcodecencinitmulti after a failed allocation when initializing the encoder for WebRTC. This could have caused memory corruption and a potentially exploitable crash. Error handling for script execution was incorrectly isolated from web content, which could ha...

Security Vulnerabilities fixed in Firefox ESR 115.23.1 — Mozilla

An attacker was able to perform an out-of-bounds read or write on a JavaScript Promise object. An attacker was able to perform an out-of-bounds read or write on a JavaScript object by confusing array index sizes...

Security Vulnerabilities fixed in Thunderbird 128.3 — Mozilla

A compromised content process could have allowed for the arbitrary loading of cross-origin pages. An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the resource://pdf.js origin. This could allow them to access cross-origin PDF content. This access i...

XHTML node spoofing — Mozilla

Parts of the browser UI relied too much on DOM node names without taking different namespaces into account and verifying that nodes really were of the expected type. An XHTML document could be used to create fake elements, for example, with content-defined properties that the browser would access...

Same origin violation: frame calling top.focus() — Mozilla

A child frame can call top.focus even if the framing page comes from a different origin and has overridden the focus routine. The call is made in the context of the child frame. The attacker would look for a target site with a framed page that makes this call but doesn't verify that its parent...

Security Vulnerabilities fixed in Thunderbird 150.0.2 — Mozilla

Memory safety bugs present in Thunderbird ESR 140.10.1 and Thunderbird 150.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. Memory safety bugs present in Thunderbird 150.0.1. Some of...

Security Vulnerabilities fixed in Firefox 147.0.2 — Mozilla

CVE-2026-24868: Mitigation bypass in the Privacy: Anti-Tracking component Reporter Masato Kinugawa Impact moderate References Bug 2007302 CVE-2026-24869: Use-after-free in the Layout: Scrolling and Overflow component Reporter Hiroyuki Ikezoe Impact high References Bug 2008698...

Security Vulnerabilities fixed in Thunderbird 139 — Mozilla

A double-free could have occurred in vpxcodecencinitmulti after a failed allocation when initializing the encoder for WebRTC. This could have caused memory corruption and a potentially exploitable crash. Error handling for script execution was incorrectly isolated from web content, which could ha...

Security Vulnerabilities fixed in Firefox for iOS 134 — Mozilla

Opening Javascript links in a new tab via long-press in the Firefox iOS client could result in a malicious script spoofing the URL of the new tab. Long hostnames in URLs could be leveraged to obscure the actual host of the website or spoof the website address...

Security Vulnerabilities fixed in Thunderbird 128.4 — Mozilla

A permission leak could have occurred from a trusted site to an untrusted site via embed or object elements. An attacker could have caused a use-after-free when accessibility was enabled, leading to a potentially exploitable crash. The origin of an external protocol handler prompt could have been...

Security Vulnerabilities fixed in Focus for iOS 123 — Mozilla

Utilizing a 302 redirect, an attacker could have conducted a Universal Cross-Site Scripting UXSS on a victim website, if the victim had a link to the attacker's website...

Information disclosure via the High Resolution Time API — Mozilla

Security researchers Yossef Oren, Vasileios P. Kemerlis, Simha Sethumadhavan, Angelos D. Keromytis of Columbia University's Network Security Lab reported a method of using the High Resolution Time API for side channel attacks. This attack uses JavaScript loaded through a hostile web page to track...