Mozilla and Google this week announced software updates for Firefox and Chrome that address multiple high-severity vulnerabilities, including memory safety bugs.
On Tuesday, Mozilla released Firefox 119 with patches for 11 vulnerabilities, including three high-severity issues.
The first of the flaws, CVE-2023-5721, is an insufficient activation-delay bug that could result in the user unintentionally activating or dismissing browser prompts and dialogues, potentially allowing clickjacking, Mozilla notes in its advisory.
The browser update also addresses several memory safety issues collectively tracked as CVE-2023-5730 and CVE-2023-5731, and which could potentially allow attackers to execute arbitrary code.
Firefox 119 also arrived with patches for seven medium-severity flaws leading to header leakage, crashes, unexpected errors, the opening of arbitrary URLs, obscured full screen notifications, and bypass of download protections.
Mozilla also announced the release of Firefox ESR 115.4 and Thunderbird 115.4.1 with patches for eight of the issues addressed with Firefox 119, including CVE-2023-5721 and CVE-2023-5730.
The browser maker makes no mention of any of these vulnerabilities being exploited in malicious attacks.
On Tuesday, Google announced a software update for Chrome that addresses two vulnerabilities, including a high-severity issue reported by an external researcher.
Tracked as CVE-2023-5472, the flaw is described as a use-after-free issue in Profiles. The internet giant handed out a $3,000 reward for the vulnerability report.
Use-after-free bugs in Chrome can be exploited to escape the browser sandbox and potentially execute code on the underlying operating system, provided they can be combined with other flaws in a privileged process. Google has not flagged this vulnerability as being exploited in the wild.
The latest Chrome iteration is now rolling out to users as version 118.0.5993.117 for macOS and Linux and as versions 118.0.5993.117/.118 for Windows.