Security Vulnerabilities fixed in Thunderbird 102.13 — Mozilla

An attacker could have triggered a use-after-free condition when creating a WebRTC connection over HTTPS. Cross-compartment wrappers wrapping a scripted proxy could have caused objects from other compartments to be stored in the main compartment resulting in a use-after-free. A website could have...

Security Vulnerabilities fixed in Firefox 80 — Mozilla

If Firefox is installed to a user-writable directory, the Mozilla Maintenance Service would execute updater.exe from the install location with administrative privileges. Although the Mozilla Maintenance Service does ensure that updater.exe is signed by Mozilla, the version could have been rolled...

Security vulnerabilities fixed in Firefox 51.0.3 — Mozilla

The cache directory on the local file system is set to be world writable. Firefox defaults to extracting libraries from this cache. This allows for the possibility of an installed malicious application or tools with write access to the file system to replace files used by Firefox with their own...

Security Vulnerabilities fixed in Firefox 115.0.2 and Firefox ESR 115.0.2 — Mozilla

During the worker lifecycle, a use-after-free condition could have occurred, which could have led to a potentially exploitable crash...

Security Vulnerabilities fixed in Thunderbird 78.8.1 — Mozilla

Thunderbird unprotects a secret OpenPGP key prior to using it for a decryption, signing or key import task. If the task runs into a failure, the secret key may remain in memory in its unprotected state...

Security Vulnerabilities fixed in Firefox ESR 102.3 — Mozilla

An out-of-bounds read can occur when decoding H264 video. This results in a potentially exploitable crash. During iframe navigation, certain pages did not have their FeaturePolicy fully initialized leading to a bypass that leaked device permissions into untrusted subdocuments. Concurrent use of t...

Security Vulnerabilities fixed in - Firefox 71 — Mozilla

Improper refcounting of soft token session objects could cause a use-after-free and crash likely limited to a denial of service. When using nested workers, a use-after-free could occur during worker destruction. This resulted in a potentially exploitable crash. When setting a thread name on Windo...

Security Vulnerabilities fixed in Thunderbird 115.10 — Mozilla

GetBoundName could return the wrong version of an object when JIT optimizations were applied. In some code patterns the JIT incorrectly optimized switch statements and generated code with out-of-bounds-reads. The JIT created incorrect code for arguments in certain cases. This led to potential...

Security Vulnerabilities fixed in Firefox 74 — Mozilla

When removing data about an origin whose tab was recently closed, a use-after-free could occur in the Quota manager, resulting in a potentially exploitable crash. By carefully crafting promise resolutions, it was possible to cause an out-of-bounds read off the end of an array resized during scrip...

Security Vulnerabilities fixed in Thunderbird 91 — Mozilla

A suspected race condition when calling getaddrinfo led to memory corruption and a potentially exploitable crash. Note: This issue only affected Linux operating systems. Other operating systems are unaffected. An issue present in lowering/register allocation could have led to obscure but...

Security Vulnerabilities fixed in Thunderbird 115.11 — Mozilla

A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context. If the browser.privatebrowsing.autostart preference is enabled, IndexedDB files were not properly deleted when the window was closed. This preference is disabled by...

Security Vulnerabilities fixed in Firefox 79 — Mozilla

By observing the stack trace for JavaScript errors in web workers, it was possible to leak the result of a cross-origin redirect. This applied only to content that can be parsed as script. WebRTC used the memory address of a class instance as a connection identifier. Unfortunately, this value is...

Security Vulnerabilities fixed in Firefox 73 — Mozilla

A content process could have modified shared memory relating to crash reporting information, crash itself, and cause an out-of-bound write. This could have caused memory corruption and a potentially exploitable crash. By downloading a file with the .fileloc extension, a semi-privileged extension...

Font vulnerabilities in the Graphite 2 library — Mozilla

Security researcher Holger Fuhrmannek and Mozilla security engineer Tyson Smith reported a number of security vulnerabilities in the Graphite 2 library affecting version 1.3.5...

Security Vulnerabilities fixed in Firefox ESR 78.6 — Mozilla

When a BigInt was right-shifted the backing store was not properly cleared, allowing uninitialized memory to be read. Certain blit values provided by the user were not properly constrained leading to a heap buffer overflow on some video drivers. Certain input to the CSS Sanitizer confused it,...

Security Vulnerabilities fixed in Thunderbird 78.3 — Mozilla

By exploiting an Open Redirect vulnerability on a website, an attacker could have spoofed the site displayed in the download file dialog to show the original site the one suffering from the open redirect rather than the site the file was actually downloaded from. Thunderbird sometimes ran the...

MD5 signatures accepted within TLS 1.2 ServerKeyExchange in server signature — Mozilla

Security researcher Karthikeyan Bhargavan reported an issue in Network Security Services NSS where MD5 signatures in the server signature within the TLS 1.2 ServerKeyExchange message are still accepted. This is an issue since NSS has officially disallowed the accepting MD5 as a hash algorithm in...

Buffer overflow in WebGL after out of memory allocation — Mozilla

Security researcher Aki Helin used the Address Sanitizer tool to find a buffer overflow write when rendering some WebGL content. This leads to a potentially exploitable crash...

RSA Signature Forgery in NSS — Mozilla

Antoine Delignat-Lavaud, security researcher at Inria Paris in team Prosecco, reported an issue in Network Security Services NSS libraries affecting all versions. He discovered that NSS is vulnerable to a variant of a signature forgery attack previously published by Daniel Bleichenbacher. This is...

Security Vulnerabilities fixed in Firefox 82 — Mozilla

A use-after-free bug in the usersctp library was reported upstream. We assume this could have led to memory corruption and a potentially exploitable crash. In the crossbeam rust crate, the bounded channel incorrectly assumed that Vec::fromiter had allocated capacity that was the same as the numbe...

Security Vulnerabilities fixed in Thunderbird 68.4.1 — Mozilla

Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion. We are aware of targeted attacks in the wild abusing this flaw. During the initialization of a new content process, a pointer offset can be manipulated leading to memory corruption and...

NSS accepts export-length DHE keys with regular DHE cipher suites — Mozilla

Security researcher Matthew Green reported a Diffie–Hellman DHE key processing issue in Network Security Services NSS where a man-in-the-middle MITM attacker can force a server to downgrade TLS connections to 512-bit export-grade cryptography by modifying client requests to include only...

Security vulnerabilities fixed in Thunderbird 45.4 — Mozilla

An out-of-bounds write of a boolean value during text conversion with some unicode characters. A bad cast when processing layout with input elements can result in a potentially exploitable crash. A use-after-free vulnerability triggered by setting a aria-owns attribute A use-after-free issue in w...

Security Vulnerabilities fixed in Firefox 119 — Mozilla

It was possible for certain browser prompts and dialogs to be activated or dismissed unintentionally by the user due to an insufficient activation-delay. Using iterative requests an attacker was able to learn the size of an opaque response, as well as the contents of a server-supplied Vary header...

Security Vulnerabilities fixed in Thunderbird 115.7 — Mozilla

An out of bounds write in ANGLE could have allowed an attacker to corrupt memory leading to a potentially exploitable crash. It was possible for certain browser prompts and dialogs to be activated or dismissed unintentionally by the user due to an incorrect timestamp used to prevent input after...

Security Vulnerabilities fixed in Firefox 127 — Mozilla

If a specific sequence of actions is performed when opening a new tab, the triggering principal associated with the new tab may have been incorrect. The triggering principal is used to calculate many values, including the Referer and Sec- headers, meaning there is the potential for incorrect...

Security Vulnerabilities fixed in Thunderbird 102.14 — Mozilla

Offscreen Canvas did not properly track cross-origin tainting, which could have been used to access image data from another site in violation of same-origin policy. In some circumstances, a stale value could have been used for a global variable in WASM JIT analysis. This resulted in incorrect...

Security vulnerabilities fixed in Firefox 69.0.1 — Mozilla

When the pointer lock is enabled by a website though requestPointerLock, no user notification is given. This could allow a malicious website to hijack the mouse pointer and confuse users...

Security vulnerabilities fixed in Firefox 52 — Mozilla

JIT-spray targeting asm.js combined with a heap spray allows for a bypass of ASLR and DEP protections leading to potential memory corruption attacks. A crash triggerable by web content in which an ErrorResult references unassigned memory due to a logic error. The resulting crash may be exploitabl...

Security Vulnerabilities fixed in Thunderbird 115.8 — Mozilla

When storing and re-accessing data on a networking channel, the length of buffers may have been confused, resulting in an out-of-bounds memory read. Through a series of API calls and redirects, an attacker-controlled alert dialog could have been displayed on another website with the victim...

Exploitable WebGL crash with Cesium JavaScript library — Mozilla

Developer Patrick Cozzi reported a crash in some circumstances when using the Cesium JavaScript library to generate WebGL content. Mozilla developers determined that this crash is potentially exploitable...

NSS incorrectly permits skipping of ServerKeyExchange — Mozilla

Security researcher Karthikeyan Bhargavan reported an issue in Network Security Services NSS where the client allows for a ECDHEECDSA exchange where the server does not send its ServerKeyExchange message instead of aborting the handshake. Instead, the NSS client will take the EC key from the ECDS...

Off-by-one error in OpenType Sanitizer — Mozilla

Mateusz Jurczyk of the Google Security Team discovered an off-by-one error in the OpenType Sanitizer using the Address Sanitizer tool. This can lead to an out-of-bounds read and execution of an uninitialized function pointer during parsing and possible remote code execution...

Security Vulnerabilities fixed in Firefox ESR 68.9 — Mozilla

NSS has shown timing differences when performing DSA signatures, which was exploitable and could eventually leak private keys. When browsing a malicious page, a race condition in our SharedWorkerService could occur and lead to a potentially exploitable crash. Mozilla developer Iain Ireland...

Security Vulnerabilities fixed in Firefox ESR 68.7 — Mozilla

A malicious Android application could craft an Intent that would have been processed by Firefox for Android and potentially result in a file overwrite in the user's profile directory. One exploitation vector for this would be to supply a user.js file providing arbitrary malicious preference value...

Firefox SVG Animation Remote Code Execution — Mozilla

A use-after-free vulnerability in SVG Animation has been discovered. An exploit built on this vulnerability has been discovered in the wild targeting Firefox and Tor Browser users on Windows...

Memory corruption during failed plugin initialization — Mozilla

Mozilla developer Robert Kaiser Kairo reported that a race condition when initialization of a plugin fails led to a potentially exploitable use-after-free vulnerability...

Defense against multiple Location headers due to CRLF Injection — Mozilla

Ian Graham of Citrix Online reported that when multiple Location headers were present in a redirect response Mozilla behavior differed from other browsers: Mozilla would use the second Location header while Chrome and Internet Explorer would use the first. Two copies of this header with different...

Security vulnerabilities fixed in Firefox 60.6.1 — Mozilla

Incorrect alias information in IonMonkey JIT compiler for Array.prototype.slice method may lead to missing bounds check and a buffer overflow. Incorrect handling of proto mutations may lead to type confusion in IonMonkey JIT code and can be leveraged for arbitrary memory read and write...

SVG buffer overflow and use-after-free issues — Mozilla

Security researcher Arthur Gerkis used the Address Sanitizer tool to find two issues involving Scalable Vector Graphics SVG files. The first issue is a buffer overflow in Gecko's SVG filter code when the sum of two values is too large to be stored as a signed 32-bit integer, causing the function ...

Gecko memory corruption — Mozilla

Google security researcher Abhishek Arya used the Address Sanitizer tool to uncover four issues: two use-after-free problems, one out of bounds read bug, and a bad cast. The first use-after-free problem is caused when an array of nsSMILTimeValueSpec objects is destroyed but attempts are made to...

Security Vulnerabilities fixed in Firefox 118 — Mozilla

A compromised content process could have provided malicious data to FilterNodeD2D1 resulting in an out-of-bounds write, leading to a potentially exploitable crash in a privileged process.This bug only affects Firefox on Windows. Other operating systems are unaffected. A compromised content proces...

JPEG information leak — Mozilla

Google security researcher Michal Zalewski reported issues with JPEG format image processing with Start Of Scan SOS and Define Huffman Table DHT markers in the libjpeg library. This could allow for the possible reading of arbitrary memory content as well as cross-domain image theft...

Security Vulnerabilities fixed in Thunderbird 68.8.0 — Mozilla

By encoding Unicode whitespace characters within the From email header, an attacker can spoof the sender email address that Thunderbird displays. A race condition when running shutdown code for Web Worker led to a use-after-free vulnerability. This resulted in a potentially exploitable crash. A...

Security Vulnerabilities fixed in Firefox ESR 68.6 — Mozilla

When removing data about an origin whose tab was recently closed, a use-after-free could occur in the Quota manager, resulting in a potentially exploitable crash. By carefully crafting promise resolutions, it was possible to cause an out-of-bounds read off the end of an array resized during scrip...

Security vulnerabilities fixed in Thunderbird 45.5 — Mozilla

A heap-buffer-overflow in Cairo when processing SVG content caused by compiler optimization, resulting in a potentially exploitable crash. The Mozilla Updater can be made to choose an arbitrary target working directory for output files resulting from the update process. This vulnerability require...

Privilege escalation using WebIDL-implemented APIs — Mozilla

Security researcher Mariusz Mlynski, via TippingPoint's Pwn2Own contest, reported that it is possible for untrusted web content to load a chrome-privileged page by getting JavaScript-implemented WebIDL to call window.open. A second bug allowed the bypassing of the popup-blocker without user...

Security Vulnerabilities fixed in Firefox 81 — Mozilla

When processing surfaces, the lifetime may outlive a persistent buffer leading to memory corruption and a potentially exploitable crash. By exploiting an Open Redirect vulnerability on a website, an attacker could have spoofed the site displayed in the download file dialog to show the original si...

Delegated OCSP responder certificates failure with id-pkix-ocsp-nocheck extension — Mozilla

Brian Smith reported that delegated Online Certificate Status Protocol OCSP responder certificates fail to recognize the id-pkix-ocsp-nocheck extension. If this extension is present in a delegated OCSP response signing certificate, it will be discarded if it is signed by such a certificate. This...

Security Vulnerabilities fixed in Thunderbird 115.1 — Mozilla

Offscreen Canvas did not properly track cross-origin tainting, which could have been used to access image data from another site in violation of same-origin policy. In some circumstances, a stale value could have been used for a global variable in WASM JIT analysis. This resulted in incorrect...