Mozilla Foundation reports:

CVE-2018-18356: Use-after-free in Skia

CVE-2019-5785: Integer overflow in Skia

CVE-2018-18511: Cross-origin theft of images with ImageBitmapRenderingContext

< 65.0.1,1

< 60.5.1,1

< 60.5.1

The Mozilla Foundation reports:

CVE-2018-5148: Use-after-free in compositor

A use-after-free vulnerability can occur in the compositor during certain graphics operations when a raw pointer is used instead of a reference counted one. This results in a potentially exploitable crash.

< 59.0.2,1

< 56.0.4.36_3

< 2.49.3

< 52.7.3,1

< 52.7.3,2

< 52.7.3

< 52.7.1

< 52.7.0_1

Google Chrome Releases reports:

[583607] High CVE-2016-1624: Buffer overflow in Brotli. Credit to lukezli.

Mozilla Foundation reports:

Security researcher Luke Li reported a pointer underflow bug in the Brotli library's decompression that leads to a buffer overflow. This results in a potentially exploitable crash when triggered.

ge 0.3.0 lt 0.3.0_1

< 0.2.0_2

< 0.3.0_3

< 48.0.2564.109

< 45.0,1

< 2.42

< 38.7.0,1

< 38.7.0

Mozilla Foundation reports:

CVE-2018-12377: Use-after-free in refresh driver timers

CVE-2018-12378: Use-after-free in IndexedDB

CVE-2018-12379: Out-of-bounds write with malicious MAR file

CVE-2017-16541: Proxy bypass using automount and autofs

CVE-2018-12381: Dragging and dropping Outlook email message results in page navigation

CVE-2018-12382: Addressbar spoofing with javascript URI on Firefox for Android

CVE-2018-12383: Setting a master password post-Firefox 58 does not delete unencrypted previously stored passwords

CVE-2018-12375: Memory safety bugs fixed in Firefox 62

CVE-2018-12376: Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2

< 62.0_1,1

< 56.2.3

< 2.49.5

< 60.2.0_1,1

< 60.2.0,2

< 60.2

Mozilla Foundation reports:

CVE-2019-11708: sandbox escape using Prompt:Open

Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the user's computer.

< 67.0.4,1

< 56.2.12

< 60.7.2,1

Mozilla Foundation reports:

CVE-2019-9811: Sandbox escape via installation of malicious language pack

CVE-2019-11711: Script injection within domain through inner window reuse

CVE-2019-11712: Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects

CVE-2019-11713: Use-after-free with HTTP/2 cached stream

CVE-2019-11714: NeckoChild can trigger crash when accessed off of main thread

CVE-2019-11729: Empty or malformed p256-ECDH public keys may trigger a segmentation fault

CVE-2019-11715: HTML parsing error can contribute to content XSS

CVE-2019-11716: globalThis not enumerable until accessed

CVE-2019-11717: Caret character improperly escaped in origins

CVE-2019-11718: Activity Stream writes unsanitized content to innerHTML

CVE-2019-11719: Out-of-bounds read when importing curve25519 private key

CVE-2019-11720: Character encoding XSS vulnerability

CVE-2019-11721: Domain spoofing through unicode latin 'kra' character

CVE-2019-11730: Same-origin policy treats all files in a directory as having the same-origin

CVE-2019-11723: Cookie leakage during add-on fetching across private browsing boundaries

CVE-2019-11724: Retired site input.mozilla.org has remote troubleshooting permissions

CVE-2019-11725: Websocket resources bypass safebrowsing protections

CVE-2019-11727: PKCS#1 v1.5 signatures can be used for TLS 1.3

CVE-2019-11728: Port scanning through Alt-Svc header

CVE-2019-11710: Memory safety bugs fixed in Firefox 68

CVE-2019-11709: Memory safety bugs fixed in Firefox 68 and Firefox ESR 60.8

< 68.0_4,1

< 56.2.12

< 2.53.0

< 60.8.0,1

< 60.8.0,2

< 60.8.0

The Mozilla Foundation reports:

Redirection from an HTTP connection to a data: URL assigns the referring site's origin to the data: URL in some circumstances. This can result in same-origin violations against a domain if it loads resources from malicious sites. Cross-origin setting of cookies has been demonstrated without the ability to read them.

< 50.0.1,1

Mozilla Foundation reports:

CVE-2018-12359: Buffer overflow using computed size of canvas element

CVE-2018-12360: Use-after-free when using focus()

CVE-2018-12361: Integer overflow in SwizzleData

CVE-2018-12358: Same-origin bypass using service worker and redirection

CVE-2018-12362: Integer overflow in SSSE3 scaler

CVE-2018-5156: Media recorder segmentation fault when track type is changed during capture

CVE-2018-12363: Use-after-free when appending DOM nodes

CVE-2018-12364: CSRF attacks through 307 redirects and NPAPI plugins

CVE-2018-12365: Compromised IPC child process can list local filenames

CVE-2018-12371: Integer overflow in Skia library during edge builder allocation

CVE-2018-12366: Invalid data handling during QCMS transformations

CVE-2018-12367: Timing attack mitigation of PerformanceNavigationTiming

CVE-2018-12368: No warning when opening executable SettingContent-ms files

CVE-2018-12369: WebExtension security permission checks bypassed by embedded experiments

CVE-2018-12370: SameSite cookie protections bypassed when exiting Reader View

CVE-2018-5186: Memory safety bugs fixed in Firefox 61

CVE-2018-5187: Memory safety bugs fixed in Firefox 60 and Firefox ESR 60.1

CVE-2018-5188: Memory safety bugs fixed in Firefox 60, Firefox ESR 60.1, and Firefox ESR 52.9

< 61.0_1,1

< 56.2.1.19_2

< 2.49.4

ge 60.0,1 lt 60.1.0_1,1

< 52.9.0_1,1

< 52.9.0,2

< 52.9.0

The Mozilla Foundation reports:

Mozilla developer Johann Hofmann reported that unsanitized output in the browser UI can lead to arbitrary code execution.

< 58.0.1,1

< 56.0.3.65

Mozilla Foundation reports:

MFSA 2016-49 Miscellaneous memory safety hazards (rv:47.0 / rv:45.2)

MFSA 2016-50 Buffer overflow parsing HTML5 fragments

MFSA 2016-51 Use-after-free deleting tables from a contenteditable document

MFSA 2016-52 Addressbar spoofing though the SELECT element

MFSA 2016-54 Partial same-origin-policy through setting location.host through data URI

MFSA 2016-56 Use-after-free when textures are used in WebGL operations after recycle pool destruction

MFSA 2016-57 Incorrect icon displayed on permissions notifications

MFSA 2016-58 Entering fullscreen and persistent pointerlock without user permission

MFSA 2016-59 Information disclosure of disabled plugins through CSS pseudo-classes

MFSA 2016-60 Java applets bypass CSP protections

< 47.0,1

< 2.44

< 45.2.0,1

< 45.2.0,2

< 45.2.0

The Mozilla Project reports:

MFSA 2015-133 NSS and NSPR memory corruption issues

MFSA 2015-132 Mixed content WebSocket policy bypass through workers

MFSA 2015-131 Vulnerabilities found through code inspection

MFSA 2015-130 JavaScript garbage collection crash with Java applet

MFSA 2015-129 Certain escaped characters in host of Location-header are being treated as non-escaped

MFSA 2015-128 Memory corruption in libjar through zip files

MFSA 2015-127 CORS preflight is bypassed when non-standard Content-Type headers are received

MFSA 2015-126 Crash when accessing HTML tables with accessibility tools on OS X

MFSA 2015-125 XSS attack through intents on Firefox for Android

MFSA 2015-124 Android intents can be used on Firefox for Android to open privileged files

MFSA 2015-123 Buffer overflow during image interactions in canvas

MFSA 2015-122 Trailing whitespace in IP address hostnames can bypass same-origin policy

MFSA 2015-121 Disabling scripts in Add-on SDK panels has no effect

MFSA 2015-120 Reading sensitive profile files through local HTML file on Android

MFSA 2015-119 Firefox for Android addressbar can be removed after fullscreen mode

MFSA 2015-118 CSP bypass due to permissive Reader mode whitelist

MFSA 2015-117 Information disclosure through NTLM authentication

MFSA 2015-116 Miscellaneous memory safety hazards (rv:42.0 / rv:38.4)

< 4.10.10

< 4.10.10

ge 3.20 lt 3.20.1

ge 3.19.3 lt 3.19.4

< 3.19.2.1

< 42.0,1

< 42.0,1

< 2.39

< 2.39

< 38.4.0,1

< 38.4.0

< 38.4.0

< 38.4.0

The Mozilla Foundation reports:

An integer overflow in createImageBitmap() was reported through the Pwn2Own contest. The fix for this vulnerability disables the experimental extensions to the createImageBitmap API. This function runs in the content sandbox, requiring a second vulnerability to compromise a user's computer.

< 52.0.1,1

Mozilla Foundation reports:

CVE-2019-9790: Use-after-free when removing in-use DOM elements

CVE-2019-9791: Type inference is incorrect for constructors entered through on-stack replacement with IonMonkey

CVE-2019-9792: IonMonkey leaks JS_OPTIMIZED_OUT magic value to script

CVE-2019-9793: Improper bounds checks when Spectre mitigations are disabled

CVE-2019-9794: Command line arguments not discarded during execution

CVE-2019-9795: Type-confusion in IonMonkey JIT compiler

CVE-2019-9796: Use-after-free with SMIL animation controller

CVE-2019-9797: Cross-origin theft of images with createImageBitmap

CVE-2019-9798: Library is loaded from world writable APITRACE_LIB location

CVE-2019-9799: Information disclosure via IPC channel messages

CVE-2019-9801: Windows programs that are not 'URL Handlers' are exposed to web content

CVE-2019-9802: Chrome process information leak

CVE-2019-9803: Upgrade-Insecure-Requests incorrectly enforced for same-origin navigation

CVE-2019-9804: Code execution through 'Copy as cURL' in Firefox Developer Tools on macOS

CVE-2019-9805: Potential use of uninitialized memory in Prio

CVE-2019-9806: Denial of service through successive FTP authorization prompts

CVE-2019-9807: Text sent through FTP connection can be incorporated into alert messages

CVE-2019-9809: Denial of service through FTP modal alert error messages

CVE-2019-9808: WebRTC permissions can display incorrect origin with data: and blob: URLs

CVE-2019-9789: Memory safety bugs fixed in Firefox 66

CVE-2019-9788: Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6

< 66.0_3,1

< 56.2.9

< 2.53.0

< 60.6.0,1

< 60.6.0,2

< 60.6.0

The Mozilla Foundation reports:

A potentially exploitable crash in TransportSecurityInfo used for SSL can be triggered by data stored in the local cache in the user profile directory. This issue is only exploitable in combination with another vulnerability allowing an attacker to write data into the local cache or from locally installed malware. This issue also triggers a non-exploitable startup crash for users switching between the Nightly and Release versions of Firefox if the same profile is used.

< 62.0.2,1

< 60.2.1,1

Mozilla Foundation reports:

CVE-2017-7828: Use-after-free of PressShell while restyling layout

CVE-2017-7830: Cross-origin URL information leak through Resource Timing API

CVE-2017-7831: Information disclosure of exposed properties on JavaScript proxy objects

CVE-2017-7832: Domain spoofing through use of dotless 'i' character followed by accent markers

CVE-2017-7833: Domain spoofing with Arabic and Indic vowel marker characters

CVE-2017-7834: data: URLs opened in new tabs bypass CSP protections

CVE-2017-7835: Mixed content blocking incorrectly applies with redirects

CVE-2017-7836: Pingsender dynamically loads libcurl on Linux and OS X

CVE-2017-7837: SVG loaded as can use meta tags to set cookies

CVE-2017-7838: Failure of individual decoding of labels in international domain names triggers punycode display of entire IDN

CVE-2017-7839: Control characters before javascript: URLs defeats self-XSS prevention mechanism

CVE-2017-7840: Exported bookmarks do not strip script elements from user-supplied tags

CVE-2017-7842: Referrer Policy is not always respected for elements

CVE-2017-7827: Memory safety bugs fixed in Firefox 57

CVE-2017-7826: Memory safety bugs fixed in Firefox 57 and Firefox ESR 52.5

< 56.0.2_10,1

< 2.49.2

< 52.5.0,1

< 52.5.0,2

< 52.5.0

Mozilla Foundation reports:

CVE-2018-5127: Buffer overflow manipulating SVG animatedPathSegList

CVE-2018-5128: Use-after-free manipulating editor selection ranges

CVE-2018-5129: Out-of-bounds write with malformed IPC messages

CVE-2018-5130: Mismatched RTP payload type can trigger memory corruption

CVE-2018-5131: Fetch API improperly returns cached copies of no-store/no-cache resources

CVE-2018-5132: WebExtension Find API can search privileged pages

CVE-2018-5133: Value of the app.support.baseURL preference is not properly sanitized

CVE-2018-5134: WebExtensions may use view-source: URLs to bypass content restrictions

CVE-2018-5135: WebExtension browserAction can inject scripts into unintended contexts

CVE-2018-5136: Same-origin policy violation with data: URL shared workers

CVE-2018-5137: Script content can access legacy extension non-contentaccessible resources

CVE-2018-5138: Android Custom Tab address spoofing through long domain names

CVE-2018-5140: Moz-icon images accessible to web content through moz-icon: protocol

CVE-2018-5141: DOS attack through notifications Push API

CVE-2018-5142: Media Capture and Streams API permissions display incorrect origin with data: and blob: URLs

CVE-2018-5143: Self-XSS pasting javascript: URL with embedded tab into addressbar

CVE-2018-5126: Memory safety bugs fixed in Firefox 59

CVE-2018-5125: Memory safety bugs fixed in Firefox 59 and Firefox ESR 52.7

< 59.0_1,1

< 56.0.4.36_3

< 2.49.3

< 52.7.0,1

< 52.7.0,2

< 52.7.0

Mozilla Foundation reports:

Please reference CVE/URL list for details

< 53.0_2,1

< 2.49.1

ge 46.0,1 lt 52.1.0_2,1

< 45.9.0,1

ge 46.0,2 lt 52.1.0,2

< 45.9.0,2

ge 46.0 lt 52.1.0

< 45.9.0

ge 46.0 lt 52.1.0

< 45.9.0

Mozilla Foundation reports:

CVE-2019-9815: Disable hyperthreading on content JavaScript threads on macOS

CVE-2019-9816: Type confusion with object groups and UnboxedObjects

CVE-2019-9817: Stealing of cross-domain images using canvas

CVE-2019-9818: Use-after-free in crash generation server

CVE-2019-9819: Compartment mismatch with fetch API

CVE-2019-9820: Use-after-free of ChromeEventHandler by DocShell

CVE-2019-9821: Use-after-free in AssertWorkerThread

CVE-2019-11691: Use-after-free in XMLHttpRequest

CVE-2019-11692: Use-after-free removing listeners in the event listener manager

CVE-2019-11693: Buffer overflow in WebGL bufferdata on Linux

CVE-2019-7317: Use-after-free in png_image_free of libpng library

CVE-2019-11694: Uninitialized memory memory leakage in Windows sandbox

CVE-2019-11695: Custom cursor can render over user interface outside of web content

CVE-2019-11696: Java web start .JNLP files are not recognized as executable files for download prompts

CVE-2019-11697: Pressing key combinations can bypass installation prompt delays and install extensions

CVE-2019-11698: Theft of user history data through drag and drop of hyperlinks to and from bookmarks

CVE-2019-11700: res: protocol can be used to open known local files

CVE-2019-11699: Incorrect domain name highlighting during page navigation

CVE-2019-11701: webcal: protocol default handler loads vulnerable web page

CVE-2019-9814: Memory safety bugs fixed in Firefox 67

CVE-2019-9800: Memory safety bugs fixed in Firefox 67 and Firefox ESR 60.7

< 67.0,1

< 56.2.10

< 2.53.0

< 60.7.0,1

< 60.7.0,2

< 60.7.0

Mozilla Foundation reports:

Please reference CVE/URL list for details

< 55.0,1

< 2.49.1

< 52.3.0,1

< 52.3.0,2

< 52.3.0

Mozilla Foundation reports:

MFSA 2016-39 Miscellaneous memory safety hazards (rv:46.0 / rv:45.1 / rv:38.8)

MFSA 2016-42 Use-after-free and buffer overflow in Service Workers

MFSA 2016-44 Buffer overflow in libstagefright with CENC offsets

MFSA 2016-45 CSP not applied to pages sent with multipart/x-mixed-replace

MFSA 2016-46 Elevation of privilege with chrome.tabs.update API in web extensions

MFSA 2016-47 Write to invalid HashMap entry through JavaScript.watch()

MFSA 2016-48 Firefox Health Reports could accept events from untrusted domains

< 46.0,1

< 2.43

ge 39.0,1 lt 45.1.0,1

< 38.8.0,1

ge 39.0 lt 45.1.0

< 38.8.0

Firefox Developers report:

Security researcher Abdulrahman Alqabandi reported that the fetch() API did not correctly implement the Cross-Origin Resource Sharing (CORS) specification, allowing a malicious page to access private data from other origins. Mozilla developer Ben Kelly independently reported the same issue.

< 41.0.2,1

< 41.0.2,1

Mozilla Foundation reports:

CVE-2016-2827 - Out-of-bounds read in mozilla::net::IsValidReferrerPolicy [low]

CVE-2016-5256 - Memory safety bugs fixed in Firefox 49 [critical]

CVE-2016-5257 - Memory safety bugs fixed in Firefox 49 and Firefox ESR 45.4 [critical]

CVE-2016-5270 - Heap-buffer-overflow in nsCaseTransformTextRunFactory::TransformString [high]

CVE-2016-5271 - Out-of-bounds read in PropertyProvider::GetSpacingInternal [low]

CVE-2016-5272 - Bad cast in nsImageGeometryMixin [high]

CVE-2016-5273 - crash in mozilla::a11y::HyperTextAccessible::GetChildOffset [high]

CVE-2016-5274 - use-after-free in nsFrameManager::CaptureFrameState [high]

CVE-2016-5275 - global-buffer-overflow in mozilla::gfx::FilterSupport::ComputeSourceNeededRegions [critical]

CVE-2016-5276 - Heap-use-after-free in mozilla::a11y::DocAccessible::ProcessInvalidationList [high]

CVE-2016-5277 - Heap-use-after-free in nsRefreshDriver::Tick [high]

CVE-2016-5278 - Heap-buffer-overflow in nsBMPEncoder::AddImageFrame [critical]

CVE-2016-5279 - Full local path of files is available to web pages after drag and drop [moderate]

CVE-2016-5280 - Use-after-free in mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap [high]

CVE-2016-5281 - use-after-free in DOMSVGLength [high]

CVE-2016-5282 - Don't allow content to request favicons from non-whitelisted schemes [moderate]

CVE-2016-5283 -