Mozilla has announced the availability of Firefox 43, a release that brings fixes for 21 security flaws and several feature improvements, including a 64-bit version for Windows.
Firefox 43 resolves a total of four vulnerabilities rated critical. One of them, reported by Tsubasa Iinuma, can be exploited for cross-site reading attacks (CVE-2015-7214) by bypassing cross-origin restrictions using data: and view-source: URIs to confuse protections.
A use-after-free vulnerability in WebRTC (CVE-2015-7210) that can lead to a potentially exploitable crash has been reported by Looben Yang.
Mozilla developer Kris Maglione discovered a privilege escalation issue related to WebExtension APIs (CVE-2015-7223). The vulnerability can be exploited to execute arbitrary code with the privileges of the affected WebExtension, which could lead to cross-site scripting (XSS) attacks and personal information theft.
Memory safety bugs (CVE-2015-7201 and CVE-2015-7202) found by Mozilla developers and community members have also been rated critical.
Researcher Masato Kinugawa reported finding a cross-origin information leak (CVE-2015-7215) that affects other browsers as well. Another vulnerability that is not limited to Mozilla products is a same-origin policy violation that can be exploited for data theft (CVE-2015-7207).
Google released an update for Chrome 47 on Tuesday to address a couple of vulnerabilities identified by the company’s own security team. This is the second security update for Chrome 47, the first being released on December 8 to patch seven issues.