Mozilla Security Advisory for Firefox ESR vulnerabilities.

THREAT LEVEL: Green.

For a detailed advisory, download the pdf file here

Mozilla addressed multiple security vulnerabilities by releasing two security advisories and four of the bugs have high impact.

One of the four vulnerabilities is a Time-of-Check Time-of-Use bug (CVE-2022-26387), which occurs when installing an add-on and Firefox verifies the signature before prompting the user; however, while the user was confirming the prompt, the underlying add-on file could have been modified without Firefox noticing.

The second vulnerability(CVE-2022-26384) allows an attacker to control the contents of an iframe sandboxed with allow-popups but not allow-scripts, allowing them to build a link that, when clicked, will result in JavaScript execution outside of the sandbox.

Third in the lot, is a spoofing vulnerability that occurs when resizing a popup after requesting Fullscreen access, the popup would not display the Fullscreen notification

The last one is the Use-After-free flaw, which is a well-known vulnerability in browsers. An attacker can exploit this flaw to force a text reflow in an SVG object, potentially leading to a crash.

All these vulnerabilities has been patched in Firefox ESR 91.7 and Firefox 98