Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Firefox Updates Patch 10 High-Severity Vulnerabilities

Mozilla releases Firefox 110 and Firefox ESR 102.8 with patches for 10 high-severity vulnerabilities.

Mozilla this week announced the release of Firefox 110 and Firefox ESR 102.8 with patches for 10 high-severity vulnerabilities.

Tracked as CVE-2023-25728, the first of the security defects could result in an attacker being able to leak a child iframe’s unredacted URI, provided that a redirect is triggered when interacting with that iframe.

The latest Firefox releases also resolve a flaw related to screen hijacking via browser fullscreen mode. Tracked as CVE-2023-25730, the issue exists because a background script could invoke the fullscreen mode and then block the main thread to force the mode indefinitely.

Successful exploitation of the vulnerability, Mozilla explains in its advisory, could result in potential user confusion or spoofing attacks.

The browser maker also resolved an issue in Firefox Focus, where fullscreen notifications would not be shown, thus potentially allowing malicious websites to spoof the browser chrome (CVE-2023-25743).

Another issue resolved this week can allow an attacker to craft a PKCS 12 certificate bundle so that it would allow for arbitrary memory writes via mishandling of PKCS 12 SafeBag attributes (CVE-2023-0767).

Mozilla also resolved a vulnerability in SpiderMonkey (CVE-2023-25735) that could result in cross-compartment wrappers causing the storing of objects from other compartments in the main compartment when wrapping a scripted proxy.

Tracked as CVE-2023-25735, the issue would trigger a use-after-free after the unwrapping of the proxy, Mozilla says.

Advertisement. Scroll to continue reading.

Three other high-severity vulnerabilities resolved this week could lead to undefined behavior via an invalid downcast (CVE-2023-25737), Firefox crashes when printing on Windows (CVE-2023-25738), or a use-after-free due to a missing check on failed module load requests (CVE-2023-25739).

Additionally, Mozilla announced patches for multiple memory safety bugs impacting Firefox 109 and Firefox ESR 102.7, which are tracked collectively as CVE-2023-25744 and CVE-2023-25745.

Firefox 110 and Firefox ESR 102.8 also arrived with patches for several medium- and low-severity vulnerabilities.

Related: Firefox 107 Patches High-Impact Vulnerabilities

Related: Mozilla Patches High-Severity Vulnerabilities in Firefox, Thunderbird

Related: Firefox 102 Patches 19 Vulnerabilities, Improves Privacy

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

The US arm of networking giant TP-Link has appointed Adam Robertson as Director of Information and Security.

Raj Dodhiawala has been named Chief Product Officer at Eclypsium.

Cyber exposure management firm Armis has promoted Alex Mosher to President.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.