Mozilla on Tuesday announced the release of Firefox 116, Firefox ESR 115.1, and Firefox ESR 102.14, which include patches for multiple high-severity vulnerabilities.
The browser maker lists a total of 14 CVEs in its advisory, nine of which are rated ‘high severity’. Three of the CVEs refer to memory safety bugs in Firefox.
The first of the high-severity flaws, tracked as CVE-2023-4045, is described as a cross-origin restrictions bypass in Offscreen Canvas, which failed to properly track cross-origin tainting.
The issue can allow web pages to view images displayed in a page from a different site, Sophos notes in an analysis of the update. Browsers include a same-origin policy that prevents HTML and JavaScript code originating on a website from accessing content on other sites.
The second high-severity issue that Firefox 116 patches is CVE-2023-4046, which is described as the use of an incorrect value during WASM compilation.
“In some circumstances, a stale value could have been used for a global variable in WASM JIT analysis. This resulted in incorrect compilation and a potentially exploitable crash in the content process,” Mozilla notes.
The browser update also resolves CVE-2023-4047, a permission request bypass via clickjacking. A page could trick users into clicking on a carefully placed item but instead register the input as a click on a security dialog that was not displayed to the user.
“Potentially risky permissions, such as accessing your location, sending notifications, activating the microphone and so on, are not supposed to be granted until you’ve seen and acted on a clear warning from the browser itself,” Sophos notes.
The three other high-severity vulnerabilities that Firefox 116 resolves include CVE-2023-4048 (an out-of-bounds read flaw causing DOMParser to crash when deconstructing a crafted HTML file), CVE-2023-4049 (race conditions leading to potentially exploitable use-after-free vulnerabilities), and CVE-2023-4050 (stack buffer overflow in StorageManager potentially leading to a sandbox escape).
Tracked as CVE-2023-4056, CVE-2023-4057, and CVE-2023-4058, the memory safety bugs resolved in Firefox 116 could have led to arbitrary code execution.
Most of these high-severity issues, Mozilla says, also impact Firefox extended support and Thunderbird, and were addressed in Firefox ESR 115.1, Firefox ESR 102.14, Thunderbird 115.1, and Thunderbird 102.14.
Mozilla makes no mention of any of these vulnerabilities being exploited in attacks.
Related: Firefox 115 Patches High-Severity Use-After-Free Vulnerabilities
Related: Mozilla Patches High-Severity Vulnerabilities With Release of Firefox 111
Related: Firefox Updates Patch 10 High-Severity Vulnerabilities
More from Ionut Arghire
- Generative AI Startup Nexusflow Raises $10.6 Million
- Researchers Extract Sounds From Still Images on Smartphone Cameras
- Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks
- Cloudflare Users Exposed to Attacks Launched From Within Cloudflare: Researchers
- FBI Warns Organizations of Dual Ransomware, Wiper Attacks
- Lumu Raises $30 Million for Threat Detection and Response Platform
- Cisco Warns of IOS Software Zero-Day Exploitation Attempts
- Russian Zero-Day Acquisition Firm Offers $20 Million for Android, iOS Exploits
Latest News
- Bankrupt IronNet Shuts Down Operations
- AWS Using MadPot Decoy System to Disrupt APTs, Botnets
- Generative AI Startup Nexusflow Raises $10.6 Million
- In Other News: RSA Encryption Attack, Meta AI Privacy, ShinyHunters Hacker Guilty Plea
- Researchers Extract Sounds From Still Images on Smartphone Cameras
- National Security Agency is Starting an Artificial Intelligence Security Center
- CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks
- Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks
