Connect with us

Hi, what are you looking for?



Firefox 116 Patches High-Severity Vulnerabilities

Firefox 116 was released with patches for 14 CVEs, including nine high-severity vulnerabilities, some of which can lead to remote code execution or sandbox escapes.

Mozilla on Tuesday announced the release of Firefox 116, Firefox ESR 115.1, and Firefox ESR 102.14, which include patches for multiple high-severity vulnerabilities.

The browser maker lists a total of 14 CVEs in its advisory, nine of which are rated ‘high severity’. Three of the CVEs refer to memory safety bugs in Firefox.

The first of the high-severity flaws, tracked as CVE-2023-4045, is described as a cross-origin restrictions bypass in Offscreen Canvas, which failed to properly track cross-origin tainting.

The issue can allow web pages to view images displayed in a page from a different site, Sophos notes in an analysis of the update. Browsers include a same-origin policy that prevents HTML and JavaScript code originating on a website from accessing content on other sites.

The second high-severity issue that Firefox 116 patches is CVE-2023-4046, which is described as the use of an incorrect value during WASM compilation.

“In some circumstances, a stale value could have been used for a global variable in WASM JIT analysis. This resulted in incorrect compilation and a potentially exploitable crash in the content process,” Mozilla notes.

The browser update also resolves CVE-2023-4047, a permission request bypass via clickjacking. A page could trick users into clicking on a carefully placed item but instead register the input as a click on a security dialog that was not displayed to the user.

Advertisement. Scroll to continue reading.

“Potentially risky permissions, such as accessing your location, sending notifications, activating the microphone and so on, are not supposed to be granted until you’ve seen and acted on a clear warning from the browser itself,” Sophos notes.

The three other high-severity vulnerabilities that Firefox 116 resolves include CVE-2023-4048 (an out-of-bounds read flaw causing DOMParser to crash when deconstructing a crafted HTML file), CVE-2023-4049 (race conditions leading to potentially exploitable use-after-free vulnerabilities), and CVE-2023-4050 (stack buffer overflow in StorageManager potentially leading to a sandbox escape).

Tracked as CVE-2023-4056, CVE-2023-4057, and CVE-2023-4058, the memory safety bugs resolved in Firefox 116 could have led to arbitrary code execution.

Most of these high-severity issues, Mozilla says, also impact Firefox extended support and Thunderbird, and were addressed in Firefox ESR 115.1, Firefox ESR 102.14, Thunderbird 115.1, and Thunderbird 102.14.

Mozilla makes no mention of any of these vulnerabilities being exploited in attacks.

Related: Firefox 115 Patches High-Severity Use-After-Free Vulnerabilities

Related: Mozilla Patches High-Severity Vulnerabilities With Release of Firefox 111

Related: Firefox Updates Patch 10 High-Severity Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.