Security vulnerabilities fixed in Firefox ESR 45.6 — Mozilla

Use-after-free while manipulating DOM events and removing audio elements due to errors in the handling of node adoption. Event handlers on marquee elements were executed despite a strict Content Security Policy CSP that disallowed inline JavaScript. Memory corruption resulting in a potentially...

Security vulnerabilities fixed in Firefox 50.1 — Mozilla

A buffer overflow in SkiaGl caused when a GrGLBuffer is truncated during allocation. Later writers will overflow the buffer, resulting in a potentially exploitable crash. Use-after-free while manipulating DOM events and removing audio elements due to errors in the handling of node adoption. Event...

Firefox SVG Animation Remote Code Execution — Mozilla

A use-after-free vulnerability in SVG Animation has been discovered. An exploit built on this vulnerability has been discovered in the wild targeting Firefox and Tor Browser users on Windows...

Security vulnerabilities fixed in Firefox 50.0.1 — Mozilla

Redirection from an HTTP connection to a data: URL assigns the referring site's origin to the data: URL in some circumstances. This can result in same-origin violations against a domain if it loads resources from malicious sites. Cross-origin setting of cookies has been demonstrated without the...

Security vulnerabilities fixed in Thunderbird 45.5 — Mozilla

A heap-buffer-overflow in Cairo when processing SVG content caused by compiler optimization, resulting in a potentially exploitable crash. The Mozilla Updater can be made to choose an arbitrary target working directory for output files resulting from the update process. This vulnerability require...

Security vulnerabilities fixed in Firefox 50 — Mozilla

A heap-buffer-overflow in Cairo when processing SVG content caused by compiler optimization, resulting in a potentially exploitable crash. During URL parsing, a maliciously crafted URL can cause a potentially exploitable crash. When the Mozilla Updater is run, if the Updater's log file in the...

Security vulnerabilities fixed in Firefox ESR 45.5 — Mozilla

A heap-buffer-overflow in Cairo when processing SVG content caused by compiler optimization, resulting in a potentially exploitable crash. When the Mozilla Updater is run, if the Updater's log file in the working directory points to a hardlink, data can be appended to an arbitrary local file. Thi...

Security vulnerabilities fixed in Firefox 49.0.2 — Mozilla

A potentially exploitable use-after-free crash during actor destruction with service workers. This issue does not affect releases earlier than Firefox 49. A Cliqz.com developer demonstrated that web content could access information in the HTTP cache if e10s is disabled. This can reveal some visit...

Security vulnerabilities fixed in Thunderbird 45.4 — Mozilla

An out-of-bounds write of a boolean value during text conversion with some unicode characters. A bad cast when processing layout with input elements can result in a potentially exploitable crash. A use-after-free vulnerability triggered by setting a aria-owns attribute A use-after-free issue in w...

Security vulnerabilities fixed in Firefox 49 — Mozilla

A content security policy CSP containing a referrer directive with no values can cause a non-exploitable crash. An out-of-bounds write of a boolean value during text conversion with some unicode characters An out-of-bounds read during the processing of text runs in some pages using...

Security vulnerabilities fixed in Firefox ESR 45.4 — Mozilla

An out-of-bounds write of a boolean value during text conversion with some unicode characters A bad cast when processing layout with input elements can result in a potentially exploitable crash. A use-after-free vulnerability triggered by setting a aria-owns attribute. A use-after-free issue in w...

Scripts on marquee tag can execute in sandboxed iframes — Mozilla

Security researcher Nikita Arykov reported that JavaScript event handler attributes on a tag will execute inside a sandboxed iframe that does not have the allow-scripts flag set. This could result in a cross-site scripting XSS vulnerability in a site that depends on the iframe sandbox for...

Form input type change from password to text can store plain text password in session restore file — Mozilla

Mozilla employee Mike Kaply reported that the Firefox session restore data can contain passwords in plain text if a password input field on a page has its type changed from "password" to "text" during a session. This can occur if the password input field has a scripted mechanism to display the...

Out-of-bounds read during XML parsing in Expat library — Mozilla

Security researcher Gustavo Grieco reported a potential out-of-bounds read parsing malformed XML data during character conversion. This is due to a bug in the Expat library, which is used in Firefox. This could allow an attacker to read other inaccessible memory...

Location bar spoofing via data URLs with malformed/invalid mediatypes — Mozilla

Security researcher Firas Salem reported that decoding url-encoded values in data: urls for display leads to potential spoofing in the Location bar by using non-ASCII and emoji characters in a data: url's mediatype. This issue could result in the wrong URL being displayed as a location, which can...

Cairo rendering crash due to memory allocation issue with FFmpeg 0.10 — Mozilla

Security researcher Bert Massop reported a crash in the Cairo graphics layer on Linux systems using the LibAV library included in version 0.10 of the FFmpeg library. This was due to an error when allocating the LibAV header when decoding some videos...

Buffer overflow rendering SVG with bidirectional content — Mozilla

Using the Address Sanitizer tool, security researcher Atte Kettunen found a buffer overflow during the rendering of SVG format graphics with directional content. This is caused by a flaw in directional-isolate processing and results in a potentially exploitable crash...

Favicon network connection can persist when page is closed — Mozilla

Security researcher Toni Huttunen reported that once the favicon is requested from a site, the remote server can keep the favicon network connection open even when the page is later closed. This allows a malicious site to continue to use this channel to send requests to the browser, leading to...

Miscellaneous memory safety hazards (rv:48.0 / rv:45.3) — Mozilla

Mozilla developers and community members reported several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these...

Integer overflow in WebSockets during data buffering — Mozilla

Security researcher Samuel Groß reported an integer overflow error in WebSockets during data buffering on incoming packets when an allocated buffer is resized incorrectly. This results in the buffer array holding the data being shrunk, instead of grown, resulting in attacker controlled data being...

Use-after-free in DTLS during WebRTC session shutdown — Mozilla

Security researcher Looben Yang reported a use-after-free vulnerability in WebRTC. This occurs during WebRTC session shutdown when DTLS objects in memory are freed while still actively in use. This results in a potentially exploitable crash...

Use-after-free in service workers with nested sync events — Mozilla

Security researcher Looben Yang discovered a use-after-free vulnerability when working with nested sync event loops in Service Workers. He discovered a mechanism where scripts can close their own worker, which will then trigger a synchronization XMLHttpRequest on this now closed and released...

Use-after-free when using alt key and toplevel menus — Mozilla

Security researcher Abhishek Arya Inferno of the Google Chrome Security Team reported a use-after-free vulnerability when the alt key is used in conjunction with toplevel menu items in Firefox. This results in a potentially exploitable crash when triggered. This vulnerability is mitigated by not...

Arbitrary file manipulation by local user through Mozilla updater and callback application path parameter — Mozilla

Security researcher Holger Fuhrmannek reported that when the Updater is opened directly using the callback application path parameter, a copy of a user specified file is made as a callback file. If the target of this file is made with a locked hardlink, an arbitrary local file can be replaced on...

Crash in incremental garbage collection in JavaScript — Mozilla

Security researcher Jukka Jylänki reported a use-after-free in JavaScript caused by how objects and pointers are handled during incremental garbage collection in some circumstances working with object groups. When triggered, this causes a potential exploitable crash but is mitigated by the...

Stack underflow during 2D graphics rendering — Mozilla

Georg Koppen of the Tor Project used the Address Sanitizer tool to discover a stack buffer underflow when calculating clipping regions in 2D graphics. This results in a potentially exploitable crash...

Same-origin policy violation using local HTML file and saved shortcut file — Mozilla

Security researcher Abdulrahman Alqabandi reported that when a local HTML file resides in the same directory as a malicious local shortcut file, the shortcut can be called by the local page to allow the page to read the contents of local files or directories or to load an arbitrary website in...

Type confusion in display transformation — Mozilla

Using the Address Sanitizer tool, security researcher Nils reported a type confusion flaw in display transformation during rendering due to incorrect bounds checking. This leads to a potentially exploitable crash and can be triggered by web content...

Buffer overflow in ClearKey Content Decryption Module (CDM) during video playback — Mozilla

An anonymous security researcher working with Trend Micro's Zero Day Initiative reported a buffer overflow in the ClearKey Content Decryption Module CDM used by the Encrypted Media Extensions EME API. This vulnerability can be triggered using a malformed video file due to incorrect error handling...

Use-after-free when applying SVG effects — Mozilla

Security researcher Nils used the Address Sanitizer tool to discover a use-after-free vulnerability when applying effects to SVG elements. This results in a potentially exploitable crash...

Addressbar spoofing with right-to-left characters on Firefox for Android — Mozilla

Security researcher Rafay Baloch reported a mechanism to spoof the addressbar in Firefox for Android using right-to-left character sets when combined with left-to-right characters. This can be used to cause only certain portions of the loaded left-to-right character portion of the URL to be...

Information disclosure through Resource Timing API during page navigation — Mozilla

Amazon software engineer Catalin Dumitru reported that the URLs of resources loaded after a navigation started such as in an unload event handler were leaked to the following page through the Resource Timing API. This leads to potential information disclosure...

Spoofing attack through text injection into internal error pages — Mozilla

Security researcher musicDespiteEverything reported that some of the special about: URLs used by Firefox to display system information or error messages can incorporate text passed as parameters. These could be used in spoofing attacks...

Information disclosure and local file manipulation through drag and drop — Mozilla

Security researcher Rafael Gieschke reported that file URIs dragged from a web page in Firefox to other software do not have their contents properly filtered before being passed to other programs, such as the local file manager. This can allow for the theft or manipulation of arbitrary local file...

Incorrect icon displayed on permissions notifications — Mozilla

Security researcher Tim McCormack reported that when a page requests a series of permissions in a short timespan, the resulting permission notifications can show the icon for the wrong permission request. This can lead to user confusion and inadvertent consent given when a user is prompted by web...

File overwrite and privilege escalation through Mozilla Windows updater — Mozilla

Security researcher Frédéric Hoguin reported a mechanism where the Mozilla Windows updater could be used to overwrite arbitrary files. He found that files extracted by the updater from a MAR archive are not locked for writing and can be overwritten by other processes while the updater is running....

Out-of-bounds write with WebGL shader — Mozilla

Security researcher Aral reported an out-of-bounds write when using the ANGLE graphics library, which is used for WebGL content on Windows systems. This crash occurs due to improper size checking while writing to an array during some WebGL shader operations...

Java applets bypass CSP protections — Mozilla

Mozilla engineer Matt Wobensmith reported that Content Security Policy CSP does not block the loading of cross-domain Java applets when specified by policy. This is because the Java applet is loaded by the Java plugin, which then mediates all network requests without checking against CSP. This...

Entering fullscreen and persistent pointerlock without user permission — Mozilla

Security researcher sushi Anton Larsson reported that when paired fullscreen and pointerlock requests are done in combination with closing windows, a pointerlock can be created within a fullscreen window without user permission. This pointerlock cannot then be cancelled without terminating the...

Use-after-free when textures are used in WebGL operations after recycle pool destruction — Mozilla

Mozilla community member jomo reported a use-after-free crash when processing WebGL content. This issue was caused by the use of a texture after its recycle pool has been destroyed during WebGL operations, which frees the memory associated with the texture. This results in a potentially exploitab...

Addressbar spoofing though the SELECT element — Mozilla

Security researcher Jordi Chancel reported a method to spoof the contents of the addressbar. This uses a persistent menu within a element, which acts as a container for HTML content and can be placed in an arbitrary location. When placed over the addressbar, this can mask the true site URL,...

Information disclosure of disabled plugins through CSS pseudo-classes — Mozilla

Mozilla developer John Schoenick reported that CSS pseudo-classes can be used by web content to leak information on plugins that are installed but disabled. This can be used for information disclosure through a fingerprinting attack that lists all of the plugins installed by a user on a system,...

Partial same-origin-policy through setting location.host through data URI — Mozilla

Security researcher Armin Ebert reported that the location.host property can be set to an arbitrary string after creating an invalid data: URI. This allows for a bypass of some same-origin policy protections. This issue is mitigated by the data: URI in use and any same-origin checks for http: or...

Use-after-free deleting tables from a contenteditable document — Mozilla

Security researcher firehack used the Address Sanitizer tool to discover a use-after-free in contenteditable mode. This occurs when deleting document object model DOM table elements created within the editor and results in a potentially exploitable crash...

Buffer overflow parsing HTML5 fragments — Mozilla

Security researcher firehack reported a buffer overflow when parsing HTML5 fragments in a foreign context such as under an node. This results in a potentially exploitable crash when inserting an HTML fragment into an existing document...

Miscellaneous memory safety hazards (rv:47.0 / rv:45.2) — Mozilla

Mozilla developers and community members reported several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these...

Network Security Services (NSS) vulnerabilities — Mozilla

Mozilla has updated the version of Network Security Services NSS library used in Firefox to NSS 3.23. This addresses four moderate rated networking security issues reported by Mozilla engineers Tyson Smith and Jed Davis...

Write to invalid HashMap entry through JavaScript.watch() — Mozilla

The CESG, the Information Security Arm of GCHQ, reported that the JavaScript .watch method could be used to overflow the 32-bit generation count of the underlying HashMap, resulting in a write to an invalid entry. Under the right conditions this write could lead to arbitrary code execution. The...

Firefox Health Reports could accept events from untrusted domains — Mozilla

Mozilla engineer Mark Goodwin discovered that the Firefox Health Report about:healthreport accepts certain events from any content document present in the remote-report iframe. If there were another vulnerability that allowed the injection of web content into the Firefox Health Report iframe, thi...

Use-after-free and buffer overflow in Service Workers — Mozilla

Security researcher Looben Yang reported two issues discovered in Service Workers using Address Sanitizer...