Security Experts:

Connect with us

Hi, what are you looking for?



Firefox Updates Patch 10 High-Severity Vulnerabilities

Mozilla releases Firefox 110 and Firefox ESR 102.8 with patches for 10 high-severity vulnerabilities.

Mozilla this week announced the release of Firefox 110 and Firefox ESR 102.8 with patches for 10 high-severity vulnerabilities.

Tracked as CVE-2023-25728, the first of the security defects could result in an attacker being able to leak a child iframe’s unredacted URI, provided that a redirect is triggered when interacting with that iframe.

The latest Firefox releases also resolve a flaw related to screen hijacking via browser fullscreen mode. Tracked as CVE-2023-25730, the issue exists because a background script could invoke the fullscreen mode and then block the main thread to force the mode indefinitely.

Successful exploitation of the vulnerability, Mozilla explains in its advisory, could result in potential user confusion or spoofing attacks.

The browser maker also resolved an issue in Firefox Focus, where fullscreen notifications would not be shown, thus potentially allowing malicious websites to spoof the browser chrome (CVE-2023-25743).

Another issue resolved this week can allow an attacker to craft a PKCS 12 certificate bundle so that it would allow for arbitrary memory writes via mishandling of PKCS 12 SafeBag attributes (CVE-2023-0767).

Mozilla also resolved a vulnerability in SpiderMonkey (CVE-2023-25735) that could result in cross-compartment wrappers causing the storing of objects from other compartments in the main compartment when wrapping a scripted proxy.

Tracked as CVE-2023-25735, the issue would trigger a use-after-free after the unwrapping of the proxy, Mozilla says.

Three other high-severity vulnerabilities resolved this week could lead to undefined behavior via an invalid downcast (CVE-2023-25737), Firefox crashes when printing on Windows (CVE-2023-25738), or a use-after-free due to a missing check on failed module load requests (CVE-2023-25739).

Additionally, Mozilla announced patches for multiple memory safety bugs impacting Firefox 109 and Firefox ESR 102.7, which are tracked collectively as CVE-2023-25744 and CVE-2023-25745.

Firefox 110 and Firefox ESR 102.8 also arrived with patches for several medium- and low-severity vulnerabilities.

Related: Firefox 107 Patches High-Impact Vulnerabilities

Related: Mozilla Patches High-Severity Vulnerabilities in Firefox, Thunderbird

Related: Firefox 102 Patches 19 Vulnerabilities, Improves Privacy

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet