Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Mozilla Patches High-Severity Vulnerabilities in Firefox, Thunderbird

Mozilla this week released security updates for the Firefox browser and Thunderbird mail client to address multiple vulnerabilities, including several bugs rated high severity.

Mozilla this week released security updates for the Firefox browser and Thunderbird mail client to address multiple vulnerabilities, including several bugs rated high severity.

Firefox 95 started rolling out to users earlier this week with the new RLBox isolation technology inside, meant to improve protections from web attacks by sandboxing potentially problematic subcomponents.

The browser refresh also includes patches for 13 vulnerabilities, including six that have a severity rating of high. Some of these patches were also included in Firefox ESR 91.4 and Thunderbird 91.4.0.

If successfully exploited, the most severe of these security errors could allow an attacker to execute arbitrary code within the context of the vulnerable application, which could potentially lead to full system compromise.

The first of these high-severity vulnerabilities could result in the target URL being exposed during navigation when asynchronous functions are executed (CVE-2021-43536). Another one is a heap buffer overflow caused by the “incorrect type conversion of sizes from 64bit to 32bit integers” (CVE-2021-43537).

Mozilla also patched a potential spoofing attack where the full screen and pointer lock notification would be missing when requesting both (CVE-2021-43538), and a use-after-free caused by the GC not tracing live pointers (CVE-2021-43539).

Mozilla shipped patches for these four high-severity vulnerabilities to Firefox, Firefox ESR and Thunderbird users. Additionally, it addressed a high-severity use-after-free flaw in Firefox for macOS.

Advertisement. Scroll to continue reading.

The browser maker also released patches for high-severity memory safety bugs that were found in the previous iterations of its applications, along with fixes for several medium- and low-severity vulnerabilities.

Looking to raise awareness of these vulnerabilities, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday issued an advisory to encourage organizations to apply the available patches as soon as possible.

“Mozilla has released security updates to address vulnerabilities in Firefox, Firefox ESR, and Thunderbird. An attacker could exploit some of these vulnerabilities to take control of an affected system,” CISA notes.

Related: Firefox 95 Rolls Out With New ‘RLBox’ Isolation Feature

Related: Google Patches Serious Use-After-Free Vulnerabilities in Chrome

Related: Mozilla Rolling Out ‘Site Isolation’ With Release of Firefox 94

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.