Untrusted site hosting trusted page can intercept webchannel responses — Mozilla

Mozilla developer Mark Hammond reported a flaw in how WebChannel.jsm handles message traffic. He found that when a trusted page is hosted within an on an untrusted third-party untrusted framing page, the untrusted page could intercept webchannel responses meant for the trusted page, bypassing...

Security Vulnerabilities fixed in Thunderbird 78.15

During operations on MessageTasks, a task may have been removed while it was still scheduled, resulting in memory corruption and a potentially exploitable crash. Mozilla developers and community members Andreas Pehrson and Christian Holler reported memory safety bugs present in Thunderbird 78.14...

Security Vulnerabilities fixed in Firefox 88.0.1, Firefox for Android 88.1.3 — Mozilla

By triggering multiple pop-up prompts containing javascript: URLs, a malicious webpage could have forced a Firefox for Android user into executing attacker-controlled JavaScript in the context of another domain, resulting in a Universal Cross-Site Scripting vulnerability.Note: This issue only...

Security Vulnerabilities fixed in Firefox 89.0.1 — Mozilla

When drawing text onto a canvas with WebRender disabled, an out of bounds read could occur. This bug only affects Firefox on Windows. Other operating systems are unaffected...

Security vulnerabilities fixed in Firefox 62.0.2 — Mozilla

A potentially exploitable crash in TransportSecurityInfo used for SSL can be triggered by data stored in the local cache in the user profile directory. This issue is only exploitable in combination with another vulnerability allowing an attacker to write data into the local cache or from locally...

Security vulnerabilities fixed in Thunderbird 52.9 — Mozilla

A buffer overflow can occur when rendering canvas content while adjusting the height and width of the element dynamically, causing data to be written outside of the currently computed boundaries. This results in a potentially exploitable crash. A use-after-free vulnerability can occur when deleti...

Vulnerabilities in Graphite 2 — Mozilla

Security researcher Holger Fuhrmannek reported that a malicious Graphite "smart font" could circumvent the validation of internal instruction parameters in the Graphite 2 library using special CNTXTITEM instructions. This could result in arbitrary code execution...

Security Vulnerabilities fixed in Thunderbird 91.4.0 — Mozilla

Under certain circumstances, asynchronous functions could have caused a navigation to fail but expose the target URL. An incorrect type conversion of sizes from 64bit to 32bit integers allowed an attacker to corrupt memory leading to a potentially exploitable crash. By misusing a race in our...

Security vulnerabilities fixed in Firefox 60.0.2, ESR 60.0.2, and ESR 52.8.1 — Mozilla

A heap buffer overflow can occur in the Skia library when rasterizing paths using a maliciously crafted SVG file with anti-aliasing turned off. This results in a potentially exploitable crash...

Security vulnerabilities fixed in Firefox 57.0.2 — Mozilla

A buffer overflow occurs when drawing and validating elements using Direct 3D 9 with the ANGLE graphics library, used for WebGL content. This is due to an incorrect value being passed within the library during checks and results in a potentially exploitable crash. Note: This attack only affects...

Security Vulnerabilities fixed in Firefox 100.0.2, Firefox for Android 100.3.0, Firefox ESR 91.9.1, Thunderbird 91.9.1 — Mozilla

If an attacker was able to corrupt the methods of an Array object in JavaScript via prototype pollution, they could have achieved execution of attacker-controlled JavaScript code in a privileged context. An attacker could have sent a message to the parent process where the contents were used to...

Security Vulnerabilities fixed in Firefox 84.0.2, Firefox for Android 84.1.3, and Firefox ESR 78.6.1 — Mozilla

A malicious peer could have modified a COOKIE-ECHO chunk in a SCTP packet in a way that potentially resulted in a use-after-free. We presume that with enough effort it could have been exploited to run arbitrary code...

Security vulnerabilities fixed in Firefox ESR 52.9 — Mozilla

A buffer overflow can occur when rendering canvas content while adjusting the height and width of the element dynamically, causing data to be written outside of the currently computed boundaries. This results in a potentially exploitable crash. A use-after-free vulnerability can occur when deleti...

Security vulnerabilities fixed in Thunderbird 52.8 — Mozilla

Mozilla developers backported selected changes in the Skia library. These changes correct memory corruption issues including invalid buffer reads and writes during graphic operations. Using remote content in encrypted messages can lead to the disclosure of plaintext. A use-after-free vulnerabilit...

Security vulnerabilities fixed in Firefox 57 — Mozilla

A use-after-free vulnerability can occur when flushing and resizing layout because the PressShell object has been freed while still in use. This results in a potentially exploitable crash during these operations. The Resource Timing API incorrectly revealed navigations in cross-origin iframes. Th...

Security vulnerabilities fixed in Firefox ESR 60.1 — Mozilla

A buffer overflow can occur when rendering canvas content while adjusting the height and width of the element dynamically, causing data to be written outside of the currently computed boundaries. This results in a potentially exploitable crash. A use-after-free vulnerability can occur when deleti...

Security vulnerabilities fixed in Firefox 60 — Mozilla

A use-after-free vulnerability can occur while enumerating attributes during SVG animations with clip paths. This results in a potentially exploitable crash. A use-after-free vulnerability can occur while adjusting layout during SVG animations with text paths. This results in a potentially...

Security vulnerabilities fixed in Firefox 63 — Mozilla

During HTTP Live Stream playback on Firefox for Android, audio data can be accessed across origins in violation of security policies. Because the problem is in the underlying Android service, this issue is addressed by treating all HLS streams as cross-origin and opaque to access. Note: this issu...

Security vulnerabilities fixed in Firefox 62.0.3 and Firefox ESR 60.2.2 — Mozilla

A vulnerability in register allocation in JavaScript can lead to type confusion, allowing for an arbitrary read and write. This leads to remote code execution inside the sandboxed content process when triggered. A vulnerability where the JavaScript JIT compiler inlines Array.prototype.push with...

Security vulnerabilities fixed in Firefox 61 — Mozilla

A buffer overflow can occur when rendering canvas content while adjusting the height and width of the element dynamically, causing data to be written outside of the currently computed boundaries. This results in a potentially exploitable crash. A use-after-free vulnerability can occur when deleti...

Security vulnerabilities fixed in Firefox 57.0.1 — Mozilla

When Private Browsing mode is used, it is possible for a web worker to write persistent data to IndexedDB and fingerprint a user uniquely. IndexedDB should not be available in Private Browsing mode and this stored data will persist across multiple private browsing mode sessions because it is not...

Security vulnerabilities fixed in Firefox 53 — Mozilla

A use-after-free vulnerability in SMIL animation functions occurs when pointers to animation elements in an array are dropped from the animation controller while still in use. This results in a potentially exploitable crash. A use-after-free vulnerability occurs during transaction processing in t...

Security Vulnerabilities fixed in Firefox 85.0.1 and Firefox ESR 78.7.1 — Mozilla

In the Angle graphics library, depth pitch computations did not take into account the block size and simply multiplied the row pitch with the pixel height. This caused the load functions to use a very high depth pitch, reading past the end of the user-supplied buffer.Note: This issue only affecte...

Speculative execution side-channel attack ("Spectre") — Mozilla

Jann Horn of Google Project Zero Security reported that speculative execution performed by modern CPUs could leak information through a timing side-channel attack. Microsoft Vulnerability Research extended this attack to browser JavaScript engines and demonstrated that code on a malicious web pag...

Security vulnerabilities fixed in Firefox 54 — Mozilla

A use-after-free vulnerability with the frameloader during tree reconstruction while regenerating CSS layout when attempting to use a node in the tree that no longer exists. This results in a potentially exploitable crash. A use-after-free vulnerability when using an incorrect URL during the...

Security vulnerabilities fixed in Firefox 58 — Mozilla

A use-after-free vulnerability can occur during WebRTC connections when interacting with the DTMF timers. This results in a potentially exploitable crash. A use-after-free vulnerability can occur when the thread for a Web Worker is freed from memory prematurely instead of from memory in the main...

Security vulnerabilities fixed in Firefox 55 — Mozilla

The Developer Tools feature suffers from a XUL injection vulnerability due to improper sanitization of the web page source code. In the worst case, this could allow arbitrary code execution when opening a malicious page with the style editor tool. A use-after-free vulnerability can occur in...

Security vulnerabilities fixed in Firefox 59 — Mozilla

A buffer overflow can occur when manipulating the SVG animatedPathSegList through script. This results in a potentially exploitable crash. A use-after-free vulnerability can occur when manipulating elements, events, and selection ranges during editor operations. This results in a potentially...

Security vulnerabilities fixed in Firefox 56 — Mozilla

A use-after-free vulnerability can occur in the Fetch API when the worker or the associated window are freed when still in use, resulting in a potentially exploitable crash. A spoofing vulnerability can occur when a page switches to fullscreen mode without user notification, allowing a fake addre...

Security vulnerabilities fixed in Firefox 62 — Mozilla

A use-after-free vulnerability can occur when refresh driver timers are refreshed in some circumstances during shutdown when the timer is deleted while still in use. This results in a potentially exploitable crash. A use-after-free vulnerability can occur when an IndexedDB index is deleted while...

Security vulnerabilities fixed in Thunderbird 52.4 — Mozilla

A use-after-free vulnerability can occur in the Fetch API when the worker or the associated window are freed when still in use, resulting in a potentially exploitable crash. A use-after-free vulnerability can occur when manipulating arrays of Accessible Rich Internet Applications ARIA elements...

Use-after-free in compositor — Mozilla

A use-after-free vulnerability can occur in the compositor during certain graphics operations when a raw pointer is used instead of a reference counted one. This results in a potentially exploitable crash...

Security vulnerabilities fixed in Firefox ESR 52.4 — Mozilla

A use-after-free vulnerability can occur in the Fetch API when the worker or the associated window are freed when still in use, resulting in a potentially exploitable crash. A use-after-free vulnerability can occur when manipulating arrays of Accessible Rich Internet Applications ARIA elements...

Security vulnerabilities fixed in Thunderbird 52.7 — Mozilla

A buffer overflow can occur when manipulating the SVG animatedPathSegList through script. This results in a potentially exploitable crash. A lack of parameter validation on IPC messages results in a potential out-of-bounds write through malformed IPC messages. This can potentially allow for sandb...

Use after free in ANGLE — Mozilla

A use-after-free can occur during Buffer11 API calls within the ANGLE graphics library, used for WebGL content. This can lead to a potentially exploitable crash. Note: This issue is in libGLES, which is only in use on Windows. Other operating systems are not affected...

Security vulnerabilities fixed in Firefox ESR 45.9 — Mozilla

A use-after-free vulnerability in SMIL animation functions occurs when pointers to animation elements in an array are dropped from the animation controller while still in use. This results in a potentially exploitable crash. A use-after-free vulnerability occurs during transaction processing in t...

Out of bounds memory write while processing Vorbis audio data — Mozilla

An out of bounds memory write while processing Vorbis audio data was reported through the Pwn2Own contest. The libtremor library has the same flaw as CVE-2018-5146. This library is used by Firefox in place of libvorbis on Android and ARM platforms.Update: The 52.7.2 source release accidentally di...

Security vulnerabilities fixed in Firefox ESR 60.3 — Mozilla

During HTTP Live Stream playback on Firefox for Android, audio data can be accessed across origins in violation of security policies. Because the problem is in the underlying Android service, this issue is addressed by treating all HLS streams as cross-origin and opaque to access. Note: this issu...

Arbitrary code execution through unsanitized browser UI — Mozilla

Mozilla developer Johann Hofmann reported that unsanitized output in the browser UI can lead to arbitrary code execution...

Security vulnerabilities fixed in Thunderbird 60 — Mozilla

A buffer overflow can occur when rendering canvas content while adjusting the height and width of the element dynamically, causing data to be written outside of the currently computed boundaries. This results in a potentially exploitable crash. A use-after-free vulnerability can occur when deleti...

Security vulnerabilities fixed in Firefox ESR 52.3 — Mozilla

The Developer Tools feature suffers from a XUL injection vulnerability due to improper sanitization of the web page source code. In the worst case, this could allow arbitrary code execution when opening a malicious page with the style editor tool. A use-after-free vulnerability can occur in...

Security vulnerabilities fixed in Thunderbird 52.5 — Mozilla

A use-after-free vulnerability can occur when flushing and resizing layout because the PressShell object has been freed while still in use. This results in a potentially exploitable crash during these operations. The Resource Timing API incorrectly revealed navigations in cross-origin iframes. Th...

Security vulnerabilities fixed in Thunderbird 52.1 — Mozilla

A use-after-free vulnerability in SMIL animation functions occurs when pointers to animation elements in an array are dropped from the animation controller while still in use. This results in a potentially exploitable crash. A use-after-free vulnerability occurs during transaction processing in t...

Security vulnerabilities fixed in Firefox ESR 52.1 — Mozilla

A use-after-free vulnerability in SMIL animation functions occurs when pointers to animation elements in an array are dropped from the animation controller while still in use. This results in a potentially exploitable crash. A use-after-free vulnerability occurs during transaction processing in t...

Security vulnerabilities fixed in Thunderbird 60.2.1 — Mozilla

A use-after-free vulnerability can occur when refresh driver timers are refreshed in some circumstances during shutdown when the timer is deleted while still in use. This results in a potentially exploitable crash. A use-after-free vulnerability can occur when an IndexedDB index is deleted while...

Security vulnerabilities fixed in Firefox ESR 52.6 — Mozilla

A use-after-free vulnerability can occur during WebRTC connections when interacting with the DTMF timers. This results in a potentially exploitable crash. An integer overflow vulnerability in the Skia library when allocating memory for edge builders on some systems with at least 8 GB of RAM. This...

Security vulnerabilities fixed in - Thunderbird 52 — Mozilla

JIT-spray targeting asm.js combined with a heap spray allows for a bypass of ASLR and DEP protections leading to potential memory corruption attacks. A crash triggerable by web content in which an ErrorResult references unassigned memory due to a logic error. The resulting crash may be exploitabl...

Security vulnerabilities fixed in Firefox ESR 52.7 — Mozilla

A buffer overflow can occur when manipulating the SVG animatedPathSegList through script. This results in a potentially exploitable crash. A lack of parameter validation on IPC messages results in a potential out-of-bounds write through malformed IPC messages. This can potentially allow for sandb...

Security vulnerabilities fixed in Thunderbird 52.5.2 — Mozilla

A buffer overflow occurs when drawing and validating elements using Direct 3D 9 with the ANGLE graphics library, used for WebGL content. This is due to an incorrect value being passed within the library during checks and results in a potentially exploitable crash. Note: This attack only affects...

Security vulnerabilities fixed in Firefox ESR 52.5 — Mozilla

A use-after-free vulnerability can occur when flushing and resizing layout because the PressShell object has been freed while still in use. This results in a potentially exploitable crash during these operations. The Resource Timing API incorrectly revealed navigations in cross-origin iframes. Th...