Mozilla Firefox Open source web browser

When interacting with an HTML input element's file picker dialog with webkitdirectory set

CVE-2021-38504 8.8 - High - December 08, 2021

When interacting with an HTML input element's file picker dialog with webkitdirectory set, a use-after-free could have resulted, leading to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3.

Dangling pointer

The iframe sandbox rules were not correctly applied to XSLT stylesheets

CVE-2021-38503 10 - Critical - December 08, 2021

The iframe sandbox rules were not correctly applied to XSLT stylesheets, allowing an iframe to bypass restrictions such as executing scripts or navigating the top-level frame. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3.

AuthZ

The Opportunistic Encryption feature of HTTP2 (RFC 8164)

CVE-2021-38507 6.5 - Medium - December 08, 2021

The Opportunistic Encryption feature of HTTP2 (RFC 8164) allows a connection to be transparently upgraded to TLS while retaining the visual properties of an HTTP connection, including being same-origin with unencrypted connections on port 80. However, if a second encrypted port on the same IP address (e.g. port 8443) did not opt-in to opportunistic encryption; a network attacker could forward a connection from the browser to port 443 to port 8443, causing the browser to treat the content of port 8443 as same-origin with HTTP. This was resolved by disabling the Opportunistic Encryption feature, which had low usage. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3.

Origin Validation Error

By displaying a form validity message in the correct location at the same time as a permission prompt (such as for geolocation)

CVE-2021-38508 4.3 - Medium - December 08, 2021

By displaying a form validity message in the correct location at the same time as a permission prompt (such as for geolocation), the validity message could have obscured the prompt, resulting in the user potentially being tricked into granting the permission. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3.

Clickjacking

Due to an unusual sequence of attacker-controlled events

CVE-2021-38509 4.3 - Medium - December 08, 2021

Due to an unusual sequence of attacker-controlled events, a Javascript alert() dialog with arbitrary (although unstyled) contents could be displayed over top an uncontrolled webpage of the attacker's choosing. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3.

Clickjacking

When a user loaded a Web Extensions context menu, the Web Extension could access the post-redirect URL of the element clicked

CVE-2021-43531 4.3 - Medium - December 08, 2021

When a user loaded a Web Extensions context menu, the Web Extension could access the post-redirect URL of the element clicked. If the Web Extension lacked the WebRequest permission for the hosts involved in the redirect, this would be a same-origin-violation leaking data the Web Extension should have access to. This was fixed to provide the pre-redirect URL. This is related to CVE-2021-43532 but in the context of Web Extensions. This vulnerability affects Firefox < 94.

Origin Validation Error

The 'Copy Image Link' context menu action would copy the final image URL after redirects

CVE-2021-43532 6.1 - Medium - December 08, 2021

The 'Copy Image Link' context menu action would copy the final image URL after redirects. By embedding an image that triggered authentication flows - in conjunction with a Content Security Policy that stopped a redirection chain in the middle - the final image URL could be one that contained an authentication token used to takeover a user account. If a website tricked a user into copy and pasting the image link back to the page, the page would be able to steal the authentication tokens. This was fixed by making the action return the original URL, before any redirects. This vulnerability affects Firefox < 94.

Open Redirect

When parsing internationalized domain names, high bits of the characters in the URLs were sometimes stripped, resulting in inconsistencies

CVE-2021-43533 4.3 - Medium - December 08, 2021

When parsing internationalized domain names, high bits of the characters in the URLs were sometimes stripped, resulting in inconsistencies that could lead to user confusion or attacks such as phishing. This vulnerability affects Firefox < 94.

Mozilla developers and community members reported memory safety bugs present in Firefox 93 and Firefox ESR 91.2

CVE-2021-43534 8.8 - High - December 08, 2021

Mozilla developers and community members reported memory safety bugs present in Firefox 93 and Firefox ESR 91.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3.

Memory Corruption

A use-after-free could have occured when an HTTP2 session object was released on a different thread

CVE-2021-43535 8.8 - High - December 08, 2021

A use-after-free could have occured when an HTTP2 session object was released on a different thread, leading to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox < 93, Thunderbird < 91.3, and Firefox ESR < 91.3.

Dangling pointer

Under certain circumstances, asynchronous functions could have caused a navigation to fail but expose the target URL

CVE-2021-43536 6.5 - Medium - December 08, 2021

Under certain circumstances, asynchronous functions could have caused a navigation to fail but expose the target URL. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95.

Exposure of Resource to Wrong Sphere

By misusing a race in our notification code, an attacker could have forcefully hidden the notification for pages

CVE-2021-43538 4.3 - Medium - December 08, 2021

By misusing a race in our notification code, an attacker could have forcefully hidden the notification for pages that had received full screen and pointer lock access, which could have been used for spoofing attacks. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95.

Race Condition

Failure to correctly record the location of live pointers across wasm instance calls resulted in a GC occurring within the call not tracing those live pointers

CVE-2021-43539 8.8 - High - December 08, 2021

Failure to correctly record the location of live pointers across wasm instance calls resulted in a GC occurring within the call not tracing those live pointers. This could have led to a use-after-free causing a potentially exploitable crash. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95.

Dangling pointer

An incorrect type conversion of sizes from 64bit to 32bit integers

CVE-2021-43537 8.8 - High - December 08, 2021

An incorrect type conversion of sizes from 64bit to 32bit integers allowed an attacker to corrupt memory leading to a potentially exploitable crash. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95.

Incorrect Type Conversion or Cast

WebExtensions with the correct permissions were able to create and install ServiceWorkers for third-party websites

CVE-2021-43540 6.5 - Medium - December 08, 2021

WebExtensions with the correct permissions were able to create and install ServiceWorkers for third-party websites that would not have been uninstalled with the extension. This vulnerability affects Firefox < 95.

When invoking protocol handlers for external protocols, a supplied parameter URL containing spaces was not properly escaped

CVE-2021-43541 6.5 - Medium - December 08, 2021

When invoking protocol handlers for external protocols, a supplied parameter URL containing spaces was not properly escaped. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95.

Using XMLHttpRequest, an attacker could have identified installed applications by probing error messages for loading external protocols

CVE-2021-43542 6.5 - Medium - December 08, 2021

Using XMLHttpRequest, an attacker could have identified installed applications by probing error messages for loading external protocols. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95.

Generation of Error Message Containing Sensitive Information

Documents loaded with the CSP sandbox directive could have escaped the sandbox's script restriction by embedding additional content

CVE-2021-43543 6.1 - Medium - December 08, 2021

Documents loaded with the CSP sandbox directive could have escaped the sandbox's script restriction by embedding additional content. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95.

XSS

Using the Location API in a loop could have caused severe application hangs and crashes

CVE-2021-43545 6.5 - Medium - December 08, 2021

Using the Location API in a loop could have caused severe application hangs and crashes. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95.

Excessive Iteration

It was possible to recreate previous cursor spoofing attacks against users with a zoomed native cursor

CVE-2021-43546 4.3 - Medium - December 08, 2021

It was possible to recreate previous cursor spoofing attacks against users with a zoomed native cursor. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95.

Clickjacking

Through a series of navigations, Firefox could have entered fullscreen mode without notification or warning to the user

CVE-2021-38506 4.3 - Medium - December 08, 2021

Through a series of navigations, Firefox could have entered fullscreen mode without notification or warning to the user. This could lead to spoofing attacks on the browser UI including phishing. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3.

Clickjacking

Firefox incorrectly accepted a newline in a HTTP/3 header, interpretting it as two separate headers

CVE-2021-29991 8.1 - High - November 03, 2021

Firefox incorrectly accepted a newline in a HTTP/3 header, interpretting it as two separate headers. This allowed for a header splitting attack against servers using HTTP/3. This vulnerability affects Firefox < 91.0.1 and Thunderbird < 91.0.1.

HTTP Request Smuggling

Firefox for Android allowed navigations through the `intent://` protocol, which could be used to cause crashes and UI spoofs

CVE-2021-29993 8.1 - High - November 03, 2021

Firefox for Android allowed navigations through the `intent://` protocol, which could be used to cause crashes and UI spoofs. *This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 92.

Mixed-content checks were unable to analyze opaque origins which led to some mixed content being loaded

CVE-2021-38491 6.5 - Medium - November 03, 2021

Mixed-content checks were unable to analyze opaque origins which led to some mixed content being loaded. This vulnerability affects Firefox < 92.

Mozilla developers reported memory safety bugs present in Firefox 91 and Firefox ESR 78.13

CVE-2021-38493 8.8 - High - November 03, 2021

Mozilla developers reported memory safety bugs present in Firefox 91 and Firefox ESR 78.13. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 78.14, Thunderbird < 78.14, and Firefox < 92.

Memory Corruption

Mozilla developers reported memory safety bugs present in Firefox 91

CVE-2021-38494 8.8 - High - November 03, 2021

Mozilla developers reported memory safety bugs present in Firefox 91. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 92.

Memory Corruption

During operations on MessageTasks

CVE-2021-38496 8.8 - High - November 03, 2021

During operations on MessageTasks, a task may have been removed while it was still scheduled, resulting in memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 78.15, Thunderbird < 91.2, Firefox ESR < 91.2, Firefox ESR < 78.15, and Firefox < 93.

Dangling pointer

Through use of reportValidity() and window.open()

CVE-2021-38497 6.5 - Medium - November 03, 2021

Through use of reportValidity() and window.open(), a plain-text validation message could have been overlaid on another origin, leading to possible user confusion and spoofing attacks. This vulnerability affects Firefox < 93, Thunderbird < 91.2, and Firefox ESR < 91.2.

Origin Validation Error

During process shutdown

CVE-2021-38498 7.5 - High - November 03, 2021

During process shutdown, a document could have caused a use-after-free of a languages service object, leading to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox < 93, Thunderbird < 91.2, and Firefox ESR < 91.2.

Dangling pointer

Mozilla developers reported memory safety bugs present in Firefox 92

CVE-2021-38499 8.8 - High - November 03, 2021

Mozilla developers reported memory safety bugs present in Firefox 92. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 93.

Memory Corruption

Mozilla developers reported memory safety bugs present in Firefox 92 and Firefox ESR 91.1

CVE-2021-38500 8.8 - High - November 03, 2021

Mozilla developers reported memory safety bugs present in Firefox 92 and Firefox ESR 91.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 78.15, Thunderbird < 91.2, Firefox ESR < 91.2, Firefox ESR < 78.15, and Firefox < 93.

Mozilla developers reported memory safety bugs present in Firefox 92 and Firefox ESR 91.1

CVE-2021-38501 8.8 - High - November 03, 2021

Mozilla developers reported memory safety bugs present in Firefox 92 and Firefox ESR 91.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 93, Thunderbird < 91.2, and Firefox ESR < 91.2.

Mozilla developers reported memory safety bugs present in Firefox 90 and Firefox ESR 78.12

CVE-2021-29989 8.8 - High - August 17, 2021

Mozilla developers reported memory safety bugs present in Firefox 90 and Firefox ESR 78.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 78.13, Firefox ESR < 78.13, and Firefox < 91.

Memory Corruption

Mozilla developers and community members reported memory safety bugs present in Firefox 90

CVE-2021-29990 8.8 - High - August 17, 2021

Mozilla developers and community members reported memory safety bugs present in Firefox 90. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 91.

Memory Corruption

An issue present in lowering/register allocation could have led to obscure but deterministic register confusion failures in JITted code

CVE-2021-29981 8.8 - High - August 17, 2021

An issue present in lowering/register allocation could have led to obscure but deterministic register confusion failures in JITted code that would lead to a potentially exploitable crash. This vulnerability affects Firefox < 91 and Thunderbird < 91.

Due to incorrect JIT optimization, we incorrectly interpreted data

CVE-2021-29982 6.5 - Medium - August 17, 2021

Due to incorrect JIT optimization, we incorrectly interpreted data from the wrong type of object, resulting in the potential leak of a single bit of memory. This vulnerability affects Firefox < 91 and Thunderbird < 91.

Missing Release of Resource after Effective Lifetime

Instruction reordering resulted in a sequence of instructions

CVE-2021-29984 8.8 - High - August 17, 2021

Instruction reordering resulted in a sequence of instructions that would cause an object to be incorrectly considered during garbage collection. This led to memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91.

Memory Corruption

A use-after-free vulnerability in media channels could have led to memory corruption and a potentially exploitable crash

CVE-2021-29985 8.8 - High - August 17, 2021

A use-after-free vulnerability in media channels could have led to memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91.

Dangling pointer

Firefox incorrectly treated an inline list-item element as a block element

CVE-2021-29988 8.8 - High - August 17, 2021

Firefox incorrectly treated an inline list-item element as a block element, resulting in an out of bounds read or memory corruption, and a potentially exploitable crash. This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91.

Out-of-bounds Read

Uninitialized memory in a

CVE-2021-29980 8.8 - High - August 17, 2021

Uninitialized memory in a canvas object could have caused an incorrect free() leading to memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91.

Missing Initialization of Resource

A malicious webpage could have triggered a use-after-free, memory corruption, and a potentially exploitable crash

CVE-2021-29970 8.8 - High - August 05, 2021

A malicious webpage could have triggered a use-after-free, memory corruption, and a potentially exploitable crash. *This bug could only be triggered when accessibility was enabled.*. This vulnerability affects Thunderbird < 78.12, Firefox ESR < 78.12, and Firefox < 90.

Memory Corruption

If a user had granted a permission to a webpage and saved

CVE-2021-29971 9.8 - Critical - August 05, 2021

If a user had granted a permission to a webpage and saved that grant, any webpage running on the same host - irrespective of scheme or port - would be granted that permission. *This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 90.

Improper Preservation of Permissions

A use-after-free vulnerability was found via testing, and traced to an out-of-date Cairo library

CVE-2021-29972 8.8 - High - August 05, 2021

A use-after-free vulnerability was found via testing, and traced to an out-of-date Cairo library. Updating the library resolved the issue, and may have remediated other, unknown security vulnerabilities as well. This vulnerability affects Firefox < 90.

Dangling pointer

Password autofill was enabled without user interaction on insecure websites on Firefox for Android

CVE-2021-29973 8.8 - High - August 05, 2021

Password autofill was enabled without user interaction on insecure websites on Firefox for Android. This was corrected to require user interaction with the page before a user's password would be entered by the browser's autofill functionality *This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 90.

When network partitioning was enabled, e.g

CVE-2021-29974 4.3 - Medium - August 05, 2021

When network partitioning was enabled, e.g. as a result of Enhanced Tracking Protection settings, a TLS error page would allow the user to override an error on a domain which had specified HTTP Strict Transport Security (which implies that the error should not be override-able.) This issue did not affect the network connections, and they were correctly upgraded to HTTPS automatically. This vulnerability affects Firefox < 90.

Through a series of DOM manipulations, a message, over

CVE-2021-29975 6.5 - Medium - August 05, 2021

Through a series of DOM manipulations, a message, over which the attacker had control of the text but not HTML or formatting, could be overlaid on top of another domain (with the new domain correctly shown in the address bar) resulting in possible user confusion. This vulnerability affects Firefox < 90.

Mozilla developers reported memory safety bugs present in code shared between Firefox and Thunderbird

CVE-2021-29976 8.8 - High - August 05, 2021

Mozilla developers reported memory safety bugs present in code shared between Firefox and Thunderbird. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 78.12, Firefox ESR < 78.12, and Firefox < 90.

Memory Corruption

Mozilla developers reported memory safety bugs present in Firefox 89

CVE-2021-29977 8.8 - High - August 05, 2021

Mozilla developers reported memory safety bugs present in Firefox 89. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 90.

Memory Corruption

A WebGL framebuffer was not initialized early enough, resulting in memory corruption and an out of bound write

CVE-2021-23994 8.8 - High - June 24, 2021

A WebGL framebuffer was not initialized early enough, resulting in memory corruption and an out of bound write. This vulnerability affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88.

Missing Initialization of Resource

When Responsive Design Mode was enabled, it used references to objects that were previously freed

CVE-2021-23995 8.8 - High - June 24, 2021

When Responsive Design Mode was enabled, it used references to objects that were previously freed. We presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88.

Operation on a Resource after Expiration or Release

By utilizing 3D CSS in conjunction with Javascript, content could have been rendered outside the webpage's viewport, resulting in a spoofing attack

CVE-2021-23996 6.5 - Medium - June 24, 2021

By utilizing 3D CSS in conjunction with Javascript, content could have been rendered outside the webpage's viewport, resulting in a spoofing attack that could have been used for phishing or other attacks on a user. This vulnerability affects Firefox < 88.

Due to unexpected data type conversions, a use-after-free could have occurred when interacting with the font cache

CVE-2021-23997 8.8 - High - June 24, 2021

Due to unexpected data type conversions, a use-after-free could have occurred when interacting with the font cache. We presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability affects Firefox < 88.

Incorrect Conversion between Numeric Types

Through complicated navigations with new windows, an HTTP page could have inherited a secure lock icon from an HTTPS page

CVE-2021-23998 6.5 - Medium - June 24, 2021

Through complicated navigations with new windows, an HTTP page could have inherited a secure lock icon from an HTTPS page. This vulnerability affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88.

Insufficient Verification of Data Authenticity

If a Blob URL was loaded through some unusual user interaction, it could have been loaded by the System Principal and granted additional privileges

CVE-2021-23999 8.8 - High - June 24, 2021

If a Blob URL was loaded through some unusual user interaction, it could have been loaded by the System Principal and granted additional privileges that should not be granted to web content. This vulnerability affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88.

Improper Privilege Management

A compromised content process could have performed session history manipulations it should not have been able to due to testing infrastructure

CVE-2021-24001 4.3 - Medium - June 24, 2021

A compromised content process could have performed session history manipulations it should not have been able to due to testing infrastructure that was not restricted to testing-only configurations. This vulnerability affects Firefox < 88.

Exposure of Resource to Wrong Sphere

When a user clicked on an FTP URL containing encoded newline characters (%0A and %0D), the newlines would have been interpreted as such and

CVE-2021-24002 8.8 - High - June 24, 2021

When a user clicked on an FTP URL containing encoded newline characters (%0A and %0D), the newlines would have been interpreted as such and allowed arbitrary commands to be sent to the FTP server. This vulnerability affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88.

Argument Injection

Lack of escaping allowed HTML injection when a webpage was viewed in Reader View

CVE-2021-29944 6.1 - Medium - June 24, 2021

Lack of escaping allowed HTML injection when a webpage was viewed in Reader View. While a Content Security Policy prevents direct code execution, HTML injection is still possible. *Note: This issue only affected Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 88.

XSS

A race condition with requestPointerLock() and setTimeout() could have resulted in a user interacting with one tab when they believed they were on a separate tab

CVE-2021-24000 3.1 - Low - June 24, 2021

A race condition with requestPointerLock() and setTimeout() could have resulted in a user interacting with one tab when they believed they were on a separate tab. In conjunction with certain elements (such as &lt;input type="file"&gt;) this could have led to an attack where a user was confused about the origin of the webpage and potentially disclosed information they did not intend to. This vulnerability affects Firefox < 88.

Address bar search suggestions in private browsing mode were re-using session data from normal mode

CVE-2021-29963 4.3 - Medium - June 24, 2021

Address bar search suggestions in private browsing mode were re-using session data from normal mode. *This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 89.

Insufficient Verification of Data Authenticity

When styling and rendering an oversized `<select>` element, Firefox did not apply correct clipping which

CVE-2021-29961 4.3 - Medium - June 24, 2021

When styling and rendering an oversized `<select>` element, Firefox did not apply correct clipping which allowed an attacker to paint over the user interface. This vulnerability affects Firefox < 89.

AuthZ

A malicious website

CVE-2021-29965 5.3 - Medium - June 24, 2021

A malicious website that causes an HTTP Authentication dialog to be spawned could trick the built-in password manager to suggest passwords for the currently active website instead of the website that triggered the dialog. *This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 89.

Externally Controlled Reference to a Resource in Another Sphere

The WebAssembly JIT could miscalculate the size of a return type, which could lead to a null read and result in a crash

CVE-2021-29945 6.5 - Medium - June 24, 2021

The WebAssembly JIT could miscalculate the size of a return type, which could lead to a null read and result in a crash. *Note: This issue only affected x86-32 platforms. Other platforms are unaffected.*. This vulnerability affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88.

Incorrect Calculation

A malicious webpage could have forced a Firefox for Android user into executing attacker-controlled JavaScript in the context of another domain

CVE-2021-29953 6.1 - Medium - June 24, 2021

A malicious webpage could have forced a Firefox for Android user into executing attacker-controlled JavaScript in the context of another domain, resulting in a Universal Cross-Site Scripting vulnerability. *Note: This issue only affected Firefox for Android. Other operating systems are unaffected. Further details are being temporarily withheld to allow users an opportunity to update.*. This vulnerability affects Firefox < 88.0.1 and Firefox for Android < 88.1.3.

XSS

A transient execution vulnerability, named Floating Point Value Injection (FPVI)

CVE-2021-29955 5.3 - Medium - June 24, 2021

A transient execution vulnerability, named Floating Point Value Injection (FPVI) allowed an attacker to leak arbitrary memory addresses and may have also enabled JIT type confusion attacks. (A related vulnerability, Speculative Code Store Bypass (SCSB), did not affect Firefox.). This vulnerability affects Firefox ESR < 78.9 and Firefox < 87.

Injection

When a user has already

CVE-2021-29959 4.3 - Medium - June 24, 2021

When a user has already allowed a website to access microphone and camera, disabling camera sharing would not fully prevent the website from re-enabling it without an additional prompt. This was only possible if the website kept recording with the microphone until re-enabling the camera. This vulnerability affects Firefox < 89.

AuthZ

Firefox used to cache the last filename used for printing a file

CVE-2021-29960 4.3 - Medium - June 24, 2021

Firefox used to cache the last filename used for printing a file. When generating a filename for printing, Firefox usually suggests the web page title. The caching and suggestion techniques combined may have lead to the title of a website visited during private browsing mode being stored on disk. This vulnerability affects Firefox < 89.

Incorrect Resource Transfer Between Spheres

Ports that were written as an integer overflow above the bounds of a 16-bit integer could have bypassed port blocking restrictions when used in the Alt-Svc header

CVE-2021-29946 8.8 - High - June 24, 2021

Ports that were written as an integer overflow above the bounds of a 16-bit integer could have bypassed port blocking restrictions when used in the Alt-Svc header. This vulnerability affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88.

Integer Overflow or Wraparound

Mozilla developers and community members reported memory safety bugs present in Firefox 87

CVE-2021-29947 8.8 - High - June 24, 2021

Mozilla developers and community members reported memory safety bugs present in Firefox 87. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 88.

Memory Corruption

When Web Render components were destructed, a race condition could have caused undefined behavior, and we presume

CVE-2021-29952 7.5 - High - June 24, 2021

When Web Render components were destructed, a race condition could have caused undefined behavior, and we presume that with enough effort may have been exploitable to run arbitrary code. This vulnerability affects Firefox < 88.0.1 and Firefox for Android < 88.1.3.

Race Condition

When a download was initiated, the client did not check whether it was in normal or private browsing mode

CVE-2021-29958 4.3 - Medium - June 24, 2021

When a download was initiated, the client did not check whether it was in normal or private browsing mode, which led to private mode cookies being shared in normal browsing mode. This vulnerability affects Firefox for iOS < 34.

AuthZ

Firefox for Android would become unstable and hard-to-recover when a website opened too many popups

CVE-2021-29962 4.3 - Medium - June 24, 2021

Firefox for Android would become unstable and hard-to-recover when a website opened too many popups. *This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 89.

Improper Resource Shutdown or Release

Mozilla developers reported memory safety bugs present in Firefox 88

CVE-2021-29966 8.8 - High - June 24, 2021

Mozilla developers reported memory safety bugs present in Firefox 88. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 89.

Memory Corruption

Mozilla developers reported memory safety bugs present in Firefox 88 and Firefox ESR 78.11

CVE-2021-29967 8.8 - High - June 24, 2021

Mozilla developers reported memory safety bugs present in Firefox 88 and Firefox ESR 78.11. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 78.11, Firefox < 89, and Firefox ESR < 78.11.

Memory Corruption

Out of bounds write in ANGLE in Google Chrome prior to 91.0.4472.101

CVE-2021-30547 8.8 - High - June 15, 2021

Out of bounds write in ANGLE in Google Chrome prior to 91.0.4472.101 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page.

Memory Corruption

Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 3.6.24 and 4.x through 7

CVE-2011-3656 6.1 - Medium - June 02, 2021

Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 3.6.24 and 4.x through 7 allows remote attackers to inject arbitrary web script or HTML via vectors involving HTTP 0.9 errors, non-default ports, and content-sniffing.

XSS

A flaw in Mozilla's embedded certificate code might

CVE-2007-5967 6.5 - Medium - May 17, 2021

A flaw in Mozilla's embedded certificate code might allow web sites to install root certificates on devices without user approval.

Improper Certificate Validation

Mozilla developers reported memory safety bugs present in Firefox 86

CVE-2021-23988 8.8 - High - March 31, 2021

Mozilla developers reported memory safety bugs present in Firefox 86. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 87.

Memory Corruption

Mozilla developers and community members reported memory safety bugs present in Firefox 86 and Firefox ESR 78.8

CVE-2021-23987 8.8 - High - March 31, 2021

Mozilla developers and community members reported memory safety bugs present in Firefox 86 and Firefox ESR 78.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 78.9, Firefox < 87, and Thunderbird < 78.9.

Memory Corruption

A malicious extension with the 'search' permission could have installed a new search engine whose favicon referenced a cross-origin URL

CVE-2021-23986 6.5 - Medium - March 31, 2021

A malicious extension with the 'search' permission could have installed a new search engine whose favicon referenced a cross-origin URL. The response to this cross-origin request could have been read by the extension, allowing a same-origin policy bypass by the extension, which should not have cross-origin permissions. This cross-origin request was made without cookies, so the sensitive information disclosed by the violation was limited to local-network resources or resources that perform IP-based authentication. This vulnerability affects Firefox < 87.

Origin Validation Error

If an attacker is able to alter specific about:config values (for example malware running on the user's computer), the Devtools remote debugging feature could have been enabled in a way

CVE-2021-23985 6.5 - Medium - March 31, 2021

If an attacker is able to alter specific about:config values (for example malware running on the user's computer), the Devtools remote debugging feature could have been enabled in a way that was unnoticable to the user. This would have allowed a remote attacker (able to make a direct network connection to the victim) to monitor the user's browsing activity and (plaintext) network traffic. This was addressed by providing a visual cue when Devtools has an open network socket. This vulnerability affects Firefox < 87.

A malicious extension could have opened a popup window lacking an address bar

CVE-2021-23984 6.5 - Medium - March 31, 2021

A malicious extension could have opened a popup window lacking an address bar. The title of the popup lacking an address bar should not be fully controllable, but in this situation was. This could have been used to spoof a website and attempt to trick the user into providing credentials. This vulnerability affects Firefox ESR < 78.9, Firefox < 87, and Thunderbird < 78.9.

Authentication Bypass by Spoofing

By causing a transition on a parent node by removing a CSS rule

CVE-2021-23983 6.5 - Medium - March 31, 2021

By causing a transition on a parent node by removing a CSS rule, an invalid property for a marker could have been applied, resulting in memory corruption and a potentially exploitable crash. This vulnerability affects Firefox < 87.

Memory Corruption

Using techniques that built on the slipstream research, a malicious webpage could have s

CVE-2021-23982 6.5 - Medium - March 31, 2021

Using techniques that built on the slipstream research, a malicious webpage could have scanned both an internal network's hosts as well as services running on the user's local machine utilizing WebRTC connections. This vulnerability affects Firefox ESR < 78.9, Firefox < 87, and Thunderbird < 78.9.

Inadequate Encryption Strength

A texture upload of a Pixel Buffer Object could have confused the WebGL code to skip binding the buffer used to unpack it

CVE-2021-23981 8.1 - High - March 31, 2021

A texture upload of a Pixel Buffer Object could have confused the WebGL code to skip binding the buffer used to unpack it, resulting in memory corruption and a potentially exploitable information leak or crash. This vulnerability affects Firefox ESR < 78.9, Firefox < 87, and Thunderbird < 78.9.

Memory Corruption

Mozilla developers reported memory safety bugs present in Firefox 84 and Firefox ESR 78.6

CVE-2021-23964 8.8 - High - February 26, 2021

Mozilla developers reported memory safety bugs present in Firefox 84 and Firefox ESR 78.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 85, Thunderbird < 78.7, and Firefox ESR < 78.7.

Memory Corruption

Mozilla developers reported memory safety bugs present in Firefox 84

CVE-2021-23965 8.8 - High - February 26, 2021

Mozilla developers reported memory safety bugs present in Firefox 84. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 85.

Memory Corruption

Mozilla developers reported memory safety bugs present in Firefox 85

CVE-2021-23979 8.8 - High - February 26, 2021

Mozilla developers reported memory safety bugs present in Firefox 85. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 86.

Memory Corruption

Mozilla developers reported memory safety bugs present in Firefox 85 and Firefox ESR 78.7

CVE-2021-23978 8.8 - High - February 26, 2021

Mozilla developers reported memory safety bugs present in Firefox 85 and Firefox ESR 78.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 86, Thunderbird < 78.8, and Firefox ESR < 78.8.

Firefox for Android suffered from a time-of-check-time-of-use vulnerability

CVE-2021-23977 5.3 - Medium - February 26, 2021

Firefox for Android suffered from a time-of-check-time-of-use vulnerability that allowed a malicious application to read sensitive data from application directories. Note: This issue is only affected Firefox for Android. Other operating systems are unaffected. This vulnerability affects Firefox < 86.

TOCTTOU

If a user clicked into a specifically crafted PDF

CVE-2021-23953 4.3 - Medium - February 26, 2021

If a user clicked into a specifically crafted PDF, the PDF reader could be confused into leaking cross-origin information, when said information is served as chunked data. This vulnerability affects Firefox < 85, Thunderbird < 78.7, and Firefox ESR < 78.7.

Using the new logical assignment operators in a JavaScript switch statement could have caused a type confusion

CVE-2021-23954 8.8 - High - February 26, 2021

Using the new logical assignment operators in a JavaScript switch statement could have caused a type confusion, leading to a memory corruption and a potentially exploitable crash. This vulnerability affects Firefox < 85, Thunderbird < 78.7, and Firefox ESR < 78.7.

Object Type Confusion

The browser could have been confused into transferring a pointer lock state into another tab, which could have lead to clickjacking attacks

CVE-2021-23955 6.1 - Medium - February 26, 2021

The browser could have been confused into transferring a pointer lock state into another tab, which could have lead to clickjacking attacks. This vulnerability affects Firefox < 85.

Clickjacking

An ambiguous file picker design could have confused users who intended to select and upload a single file into uploading a whole directory

CVE-2021-23956 6.5 - Medium - February 26, 2021

An ambiguous file picker design could have confused users who intended to select and upload a single file into uploading a whole directory. This was addressed by adding a new prompt. This vulnerability affects Firefox < 85.

Navigations through the Android-specific `intent` URL scheme could have been misused to escape iframe sandbox

CVE-2021-23957 7.4 - High - February 26, 2021

Navigations through the Android-specific `intent` URL scheme could have been misused to escape iframe sandbox. Note: This issue only affected Firefox for Android. Other operating systems are unaffected. This vulnerability affects Firefox < 85.

The browser could have been confused into transferring a screen sharing state into another tab, which would leak unintended information

CVE-2021-23958 6.5 - Medium - February 26, 2021

The browser could have been confused into transferring a screen sharing state into another tab, which would leak unintended information. This vulnerability affects Firefox < 85.

Exposure of Resource to Wrong Sphere

An XSS bug in internal error pages could have led to various spoofing attacks, including other error pages and the address bar

CVE-2021-23959 6.1 - Medium - February 26, 2021

An XSS bug in internal error pages could have led to various spoofing attacks, including other error pages and the address bar. Note: This issue only affected Firefox for Android. Other operating systems are unaffected. This vulnerability affects Firefox < 85.

XSS

Performing garbage collection on re-declared JavaScript variables resulted in a user-after-poison, and a potentially exploitable crash

CVE-2021-23960 8.8 - High - February 26, 2021

Performing garbage collection on re-declared JavaScript variables resulted in a user-after-poison, and a potentially exploitable crash. This vulnerability affects Firefox < 85, Thunderbird < 78.7, and Firefox ESR < 78.7.

Further techniques that built on the slipstream research combined with a malicious webpage could have exposed both an internal network's hosts as well as services running on the user's local machine

CVE-2021-23961 7.4 - High - February 26, 2021

Further techniques that built on the slipstream research combined with a malicious webpage could have exposed both an internal network's hosts as well as services running on the user's local machine. This vulnerability affects Firefox < 85.

Incorrect use of the '<RowCountChanged>' method could have led to a user-after-poison and a potentially exploitable crash

CVE-2021-23962 8.8 - High - February 26, 2021

Incorrect use of the '<RowCountChanged>' method could have led to a user-after-poison and a potentially exploitable crash. This vulnerability affects Firefox < 85.

When sharing geolocation during an active WebRTC share

CVE-2021-23963 4.3 - Medium - February 26, 2021

When sharing geolocation during an active WebRTC share, Firefox could have reset the webRTC sharing state in the user interface, leading to loss of control over the currently granted permission. This vulnerability affects Firefox < 85.

Improper Preservation of Permissions