Mozilla Foundation reports:

CVE-2017-7843: Web worker in Private Browsing mode can write IndexedDB data

CVE-2017-7844: Visited history information leak through SVG image

ge 57.0,1 lt 57.0.1,1

< 56.0.2_11,1

< 56.0.s20171130

< 2.49.2

< 52.5.1,1

< 52.5.1,2

Mozilla Foundation reports:

Fixes for security problems in the JavaScript engine described in MFSA 2008-15 introduced a stability problem, where some users experienced crashes during JavaScript garbage collection. This is being fixed primarily to address stability concerns. We have no demonstration that this particular crash is exploitable but are issuing this advisory because some crashes of this type have been shown to be exploitable in the past.

< 2.0.0.14,1

< 2.0.0.14

< 1.1.10

< 1.1.2

gt 0

< 2.0.0.14

Mozilla Foundation reports:

Please reference CVE/URL list for details

< 53.0_2,1

< 2.49.1

ge 46.0,1 lt 52.1.0_2,1

< 45.9.0,1

ge 46.0,2 lt 52.1.0,2

< 45.9.0,2

ge 46.0 lt 52.1.0

< 45.9.0

ge 46.0 lt 52.1.0

< 45.9.0

The Mozilla Project reports:

MFSA 2012-57 Miscellaneous memory safety hazards (rv:15.0/ rv:10.0.7)

MFSA 2012-58 Use-after-free issues found using Address Sanitizer

MFSA 2012-59 Location object can be shadowed using Object.defineProperty

MFSA 2012-60 Escalation of privilege through about:newtab

MFSA 2012-61 Memory corruption with bitmap format images with negative height

MFSA 2012-62 WebGL use-after-free and memory corruption

MFSA 2012-63 SVG buffer overflow and use-after-free issues

MFSA 2012-64 Graphite 2 memory corruption

MFSA 2012-65 Out-of-bounds read in format-number in XSLT

MFSA 2012-66 HTTPMonitor extension allows for remote debugging without explicit activation

MFSA 2012-67 Installer will launch incorrect executable following new installation

MFSA 2012-68 DOMParser loads linked resources in extensions when parsing text/html

MFSA 2012-69 Incorrect site SSL certificate data display

MFSA 2012-70 Location object security checks bypassed by chrome code

MFSA 2012-71 Insecure use of __android_log_print

MFSA 2012-72 Web console eval capable of executing chrome-privileged code

gt 11.0,1 lt 15.0,1

< 10.0.7,1

< 10.0.7,1

< 2.12

< 10.0.7

< 2.12

gt 11.0 lt 15.0

< 10.0.7

gt 1.9.2.* lt 10.0.7

A Mozilla Foundation Security Advisory reports of multiple issues. Several of which can be used to run arbitrary code with the privilege of the user running the program.

• MFSA 2006-29 Spoofing with translucent windows
• MFSA 2006-28 Security check of js_ValueToFunctionObject() can be circumvented
• MFSA 2006-26 Mail Multiple Information Disclosure
• MFSA 2006-25 Privilege escalation through Print Preview
• MFSA 2006-24 Privilege escalation using crypto.generateCRMFRequest
• MFSA 2006-23 File stealing by changing input type
• MFSA 2006-22 CSS Letter-Spacing Heap Overflow Vulnerability
• MFSA 2006-20 Crashes with evidence of memory corruption (rv:1.8.0.2)
• MFSA 2006-19 Cross-site scripting using .valueOf.call()
• MFSA 2006-18 Mozilla Firefox Tag Order Vulnerability
• MFSA 2006-17 cross-site scripting through window.controllers
• MFSA 2006-16 Accessing XBL compilation scope via valueOf.call()
• MFSA 2006-15 Privilege escalation using a JavaScript function's cloned parent
• MFSA 2006-14 Privilege escalation via XBL.method.eval
• MFSA 2006-13 Downloading executables with "Save Image As..."
• MFSA 2006-12 Secure-site spoof (requires security warning dialog)
• MFSA 2006-11 Crashes with evidence of memory corruption (rv:1.8)
• MFSA 2006-10 JavaScript garbage-collection hazard audit
• MFSA 2006-09 Cross-site JavaScript injection using event handlers

< 1.0.8,1

gt 1.5.*,1 lt 1.5.0.2,1

< 1.5.0.2

< 1.7.13,2

ge 1.8.*,2

< 1.7.13

gt 0

< 1.0.1

< 1.5.0.2

The Mozilla Project reports:

Miscellaneous memory safety hazards (rv:22.0 / rv:17.0.7)

Title: Memory corruption found using Address Sanitizer

Privileged content access and execution via XBL

Arbitrary code execution within Profiler

Execution of unmapped memory through onreadystatechange

Data in the body of XHR HEAD requests leads to CSRF attacks

SVG filters can lead to information disclosure

PreserveWrapper has inconsistent behavior

Sandbox restrictions not applied to nested frame elements

X-Frame-Options ignored when using server push with multi-part responses

XrayWrappers can be bypassed to run user defined methods in a privileged context

getUserMedia permission dialog incorrectly displays location

Homograph domain spoofing in .com, .net and .name

Inaccessible updater can lead to local privilege escalation

gt 18.0,1 lt 22.0,1

< 17.0.7,1

< 17.0.7,1

< 2.19

< 17.0.7

< 2.19

gt 11.0 lt 17.0.7

The Mozilla Project reports:

MFSA 2010-73 Heap buffer overflow mixing document.write and DOM insertion

gt 3.6.*,1 lt 3.6.12,1

gt 3.5.*,1 lt 3.5.15,1

gt 1.9.2.* lt 1.9.2.12

< 3.6.12,1

< 3.5.15

< 2.0.10

< 3.1.6

gt 2.0.* lt 2.0.10

ge 3.0 lt 3.0.10

ge 3.1 lt 3.1.6

The Mozilla Foundation reports of multiple security issues in Firefox, Seamonkey, and Thunderbird. Several of these issues can probably be used to run arbitrary code with the privilege of the user running the program.

• MFSA 2007-25 XPCNativeWrapper pollution
• MFSA 2007-24 Unauthorized access to wyciwyg:// documents
• MFSA 2007-21 Privilege escalation using an event handler attached to an element not in the document
• MFSA 2007-20 Frame spoofing while window is loading
• MFSA 2007-19 XSS using addEventListener and setTimeout
• MFSA 2007-18 Crashes with evidence of memory corruption

< 2.0.0.5,1

gt 3.*,1 lt 3.0.a2_3,1

< 2.0.0.5

< 1.1.3

< 3.0.a2007.12.12

< 2.0.a2007.12.12

gt 0

The Mozilla Project reports:

MFSA 2011-12 Miscellaneous memory safety hazards

MFSA 2011-13 Multiple dangling pointer vulnerabilities

MFSA 2011-14 Information stealing via form history

MFSA 2011-15 Escalation of privilege through Java Embedding Plugin

MFSA 2011-16 Directory traversal in resource: protocol

MFSA 2011-17 WebGLES vulnerabilities

MFSA 2011-18 XSLT generate-id() function heap address leak

gt 3.6.*,1 lt 3.6.17,1

gt 3.5.*,1 lt 3.5.19,1

gt 4.0.*,1 lt 4.0.1,1

gt 1.9.2.* lt 1.9.2.17

< 3.6.17,1

< 3.5.19

gt 2.0.* lt 2.0.14

gt 2.0.* lt 2.0.14

Mozilla Foundation reports:

MFSA 2016-16 Miscellaneous memory safety hazards (rv:45.0 / rv:38.7)

MFSA 2016-17 Local file overwriting and potential privilege escalation through CSP reports

MFSA 2016-18 CSP reports fail to strip location information for embedded iframe pages

MFSA 2016-19 Linux video memory DOS with Intel drivers

MFSA 2016-20 Memory leak in libstagefright when deleting an array during MP4 processing

MFSA 2016-21 Displayed page address can be overridden

MFSA 2016-22 Service Worker Manager out-of-bounds read in Service Worker Manager

MFSA 2016-23 Use-after-free in HTML5 string parser

MFSA 2016-24 Use-after-free in SetBody

MFSA 2016-25 Use-after-free when using multiple WebRTC data channels

MFSA 2016-26 Memory corruption when modifying a file being read by FileReader

MFSA 2016-27 Use-after-free during XML transformations

MFSA 2016-28 Addressbar spoofing though history navigation and Location protocol property

MFSA 2016-29 Same-origin policy violation using perfomance.getEntries and history navigation with session restore

MFSA 2016-31 Memory corruption with malicious NPAPI plugin

MFSA 2016-32 WebRTC and LibVPX vulnerabilities found through code inspection

MFSA 2016-33 Use-after-free in GetStaticInstance in WebRTC

MFSA 2016-34 Out-of-bounds read in HTML parser following a failed allocation

< 45.0,1

< 2.42

< 38.7.0,1

< 38.7.0

Mozilla Foundation reports:

Security researcher Hanno Böck reported that calculations with mp_div and mp_exptmod in Network Security Services (NSS) can produce wrong results in some circumstances. These functions are used within NSS for a variety of cryptographic division functions, leading to potential cryptographic weaknesses.

Mozilla developer Eric Rescorla reported that a failed allocation during DHE and ECDHE handshakes would lead to a use-after-free vulnerability.

< 3.21

< 44.0,1

< 2.41

Mozilla Foundation reports:

MFSA 2016-39 Miscellaneous memory safety hazards (rv:46.0 / rv:45.1 / rv:38.8)

MFSA 2016-42 Use-after-free and buffer overflow in Service Workers

MFSA 2016-44 Buffer overflow in libstagefright with CENC offsets

MFSA 2016-45 CSP not applied to pages sent with multipart/x-mixed-replace

MFSA 2016-46 Elevation of privilege with chrome.tabs.update API in web extensions

MFSA 2016-47 Write to invalid HashMap entry through JavaScript.watch()

MFSA 2016-48 Firefox Health Reports could accept events from untrusted domains

< 46.0,1

< 2.43

ge 39.0,1 lt 45.1.0,1

< 38.8.0,1

ge 39.0 lt 45.1.0

< 38.8.0

Mozilla Foundation reports:

CVE-2018-12386: Type confusion in JavaScript

A vulnerability in register allocation in JavaScript can lead to type confusion, allowing for an arbitrary read and write. This leads to remote code execution inside the sandboxed content process when triggered.

CVE-2018-12387:

A vulnerability where the JavaScript JIT compiler inlines Array.prototype.push with multiple arguments that results in the stack pointer being off by 8 bytes after a bailout. This leaks a memory address to the calling function which can be used as part of an exploit inside the sandboxed content process.

< 62.0.3,1

< 56.2.4

< 2.53.0

< 60.2.2,1

< 60.2.2,2

< 60.2.2

The Mozilla Project reports:

MFSA 2011-36 Miscellaneous memory safety hazards (rv:7.0 / rv:1.9.2.23)

MFSA 2011-37 Integer underflow when using JavaScript RegExp

MFSA 2011-38 XSS via plugins and shadowed window.location object

MFSA 2011-39 Defense against multiple Location headers due to CRLF Injection

MFSA 2011-40 Code installation through holding down Enter

MFSA 2011-41 Potentially exploitable WebGL crashes

MFSA 2011-42 Potentially exploitable crash in the YARR regular expression library

MFSA 2011-43 loadSubScript unwraps XPCNativeWrapper scope parameter

MFSA 2011-44 Use after free reading OGG headers

MFSA 2011-45 Inferring Keystrokes from motion data

gt 4.0,1 lt 7.0,1

gt 3.6.*,1 lt 3.6.23,1

gt 1.9.2.* lt 1.9.2.23

< 7.0,1

< 2.4

< 7.0

< 2.4

gt 4.0 lt 7.0

< 3.1.15

The Mozilla Project reports:

MFSA 2013-01 Miscellaneous memory safety hazards (rv:18.0/ rv:10.0.12 / rv:17.0.2)

MFSA 2013-02 Use-after-free and buffer overflow issues found using Address Sanitizer

MFSA 2013-03 Buffer Overflow in Canvas

MFSA 2013-04 URL spoofing in addressbar during page loads

MFSA 2013-05 Use-after-free when displaying table with many columns and column groups

MFSA 2013-06 Touch events are shared across iframes

MFSA 2013-07 Crash due to handling of SSL on threads

MFSA 2013-08 AutoWrapperChanger fails to keep objects alive during garbage collection

MFSA 2013-09 Compartment mismatch with quickstubs returned values

MFSA 2013-10 Event manipulation in plugin handler to bypass same-origin policy

MFSA 2013-11 Address space layout leaked in XBL objects

MFSA 2013-12 Buffer overflow in Javascript string concatenation

MFSA 2013-13 Memory corruption in XBL with XML bindings containing SVG

MFSA 2013-14 Chrome Object Wrapper (COW) bypass through changing prototype

MFSA 2013-15 Privilege escalation through plugin objects

MFSA 2013-16 Use-after-free in serializeToStream

MFSA 2013-17 Use-after-free in ListenerManager

MFSA 2013-18 Use-after-free in Vibrate

MFSA 2013-19 Use-after-free in Javascript Proxy objects

MFSA 2013-20 Mis-issued TURKTRUST certificates

gt 11.0,1 lt 17.0.2,1

< 10.0.12,1

< 17.0.2,1

< 2.15

< 17.0.2

< 2.15

gt 11.0 lt 17.0.2

< 10.0.12

gt 1.9.2.* lt 10.0.12

< 3.14.1

The Mozilla Project reports:

MFSA 2014-74 Miscellaneous memory safety hazards (rv:33.0 / rv:31.2)

MFSA 2014-75 Buffer overflow during CSS manipulation

MFSA 2014-76 Web Audio memory corruption issues with custom waveforms

MFSA 2014-78 Further uninitialized memory use during GIF

MFSA 2014-79 Use-after-free interacting with text directionality

MFSA 2014-80 Key pinning bypasses

MFSA 2014-81 Inconsistent video sharing within iframe

MFSA 2014-82 Accessing cross-origin objects via the Alarms API

< 33.0,1

< 31.2.0,1

< 33.0,1

< 2.30

< 31.2.0

< 2.30

< 31.2.0

< 31.2.0

Mozilla Foundation reports:

CVE-2019-9815: Disable hyperthreading on content JavaScript threads on macOS

CVE-2019-9816: Type confusion with object groups and UnboxedObjects

CVE-2019-9817: Stealing of cross-domain images using canvas

CVE-2019-9818: Use-after-free in crash generation server

CVE-2019-9819: Compartment mismatch with fetch API

CVE-2019-9820: Use-after-free of ChromeEventHandler by DocShell

CVE-2019-9821: Use-after-free in AssertWorkerThread

CVE-2019-11691: Use-after-free in XMLHttpRequest

CVE-2019-11692: Use-after-free removing listeners in the event listener manager

CVE-2019-11693: Buffer overflow in WebGL bufferdata on Linux

CVE-2019-7317: Use-after-free in png_image_free of libpng library

CVE-2019-11694: Uninitialized memory memory leakage in Windows sandbox

CVE-2019-11695: Custom cursor can render over user interface outside of web content

CVE-2019-11696: Java web start .JNLP files are not recognized as executable files for download prompts

CVE-2019-11697: Pressing key combinations can bypass installation prompt delays and install extensions

CVE-2019-11698: Theft of user history data through drag and drop of hyperlinks to and from bookmarks

CVE-2019-11700: res: protocol can be used to open known local files

CVE-2019-11699: Incorrect domain name highlighting during page navigation

CVE-2019-11701: webcal: protocol default handler loads vulnerable web page

CVE-2019-9814: Memory safety bugs fixed in Firefox 67

CVE-2019-9800: Memory safety bugs fixed in Firefox 67 and Firefox ESR 60.7

< 67.0,1

< 56.2.10

< 2.53.0

< 60.7.0,1

< 60.7.0,2

< 60.7.0

The Mozilla Project reports:

MFSA 2010-48 Dangling pointer crash regression from plugin parameter array fix

gt 3.6.*,1 lt 3.6.8,1

< 3.6.8,1

The Mozilla Project reports:

MFSA 2012-01 Miscellaneous memory safety hazards (rv:10.0/ rv:1.9.2.26)

MFSA 2012-02 Overly permissive IPv6 literal syntax

MFSA 2012-03 iframe element exposed across domains via name attribute

MFSA 2012-04 Child nodes from nsDOMAttribute still accessible after removal of nodes

MFSA 2012-05 Frame scripts calling into untrusted objects bypass security checks

MFSA 2012-06 Uninitialized memory appended when encoding icon images may cause information disclosure

MFSA 2012-07 Potential Memory Corruption When Decoding Ogg Vorbis files

MFSA 2012-08 Crash with malformed embedded XSLT stylesheets

MFSA 2012-09 Firefox Recovery Key.html is saved with unsafe permission

gt 4.0,1 lt 10.0,1

ge 3.6.*,1 lt 3.6.26

< 10.0,1

< 2.7

< 10.0

< 2.7

gt 4.0 lt 10.0

gt 3.1.* lt 3.1.18

Mozilla Foundation reports:

The Firefox 2.0.0.10 update contains fixes for three bugs that improve the stability of the product. These crashes showed some evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code.

< 2.0.0.10,1

< 2.0.0.10

< 1.1.7

< 1.0.2

< 3.0.a2007.12.12

< 2.0.a2007.12.12

Mozilla Project reports:

MFSA 2010-05 XSS hazard using SVG document and binary Content-Type

MFSA 2010-04 XSS due to window.dialogArguments being readable cross-domain

MFSA 2010-03 Use-after-free crash in HTML parser

MFSA 2010-02 Web Worker Array Handling Heap Corruption Vulnerability

MFSA 2010-01 Crashes with evidence of memory corruption (rv:1.9.1.8/ 1.9.0.18)

gt 3.5.*,1 lt 3.5.8,1

gt 3.*,1 lt 3.0.18,1

< 3.0.18,1

< 3.5.8

gt 2.0.* lt 2.0.3

ge 3.0 lt 3.0.2

A Mozilla Foundation Security Advisory reports of multiple issues. Several of which can be used to run arbitrary code with the privilege of the user running the program.

• MFSA 2006-56 chrome: scheme loading remote content
• MFSA 2006-55 Crashes with evidence of memory corruption (rv:1.8.0.5)
• MFSA 2006-54 XSS with XPCNativeWrapper(window).Function(...)
• MFSA 2006-53 UniversalBrowserRead privilege escalation
• MFSA 2006-52 PAC privilege escalation using Function.prototype.call
• MFSA 2006-51 Privilege escalation using named-functions and redefined "new Object()"
• MFSA 2006-50 JavaScript engine vulnerabilities
• MFSA 2006-49 Heap buffer overwrite on malformed VCard
• MFSA 2006-48 JavaScript new Function race condition
• MFSA 2006-47 Native DOM methods can be hijacked across domains
• MFSA 2006-46 Memory corruption with simultaneous events
• MFSA 2006-45 Javascript navigator Object Vulnerability
• MFSA 2006-44 Code execution through deleted frame reference

< 1.5.0.5,1

gt 2.*,1 lt 2.0_1,1

< 1.5.0.5

< 3.0.a2006.07.26

< 1.0.3

< 1.5.0.5

gt 0

Mozilla Foundation reports:

CVE-2018-5127: Buffer overflow manipulating SVG animatedPathSegList

CVE-2018-5128: Use-after-free manipulating editor selection ranges

CVE-2018-5129: Out-of-bounds write with malformed IPC messages

CVE-2018-5130: Mismatched RTP payload type can trigger memory corruption

CVE-2018-5131: Fetch API improperly returns cached copies of no-store/no-cache resources

CVE-2018-5132: WebExtension Find API can search privileged pages

CVE-2018-5133: Value of the app.support.baseURL preference is not properly sanitized

CVE-2018-5134: WebExtensions may use view-source: URLs to bypass content restrictions

CVE-2018-5135: WebExtension browserAction can inject scripts into unintended contexts

CVE-2018-5136: Same-origin policy violation with data: URL shared workers

CVE-2018-5137: Script content can access legacy extension non-contentaccessible resources

CVE-2018-5138: Android Custom Tab address spoofing through long domain names

CVE-2018-5140: Moz-icon images accessible to web content through moz-icon: protocol

CVE-2018-5141: DOS attack through notifications Push API

CVE-2018-5142: Media Capture and Streams API permissions display incorrect origin with data: and blob: URLs

CVE-2018-5143: Self-XSS pasting javascript: URL with embedded tab into addressbar

CVE-2018-5126: Memory safety bugs fixed in Firefox 59

CVE-2018-5125: Memory safety bugs fixed in Firefox 59 and Firefox ESR 52.7

< 59.0_1,1

< 56.0.4.36_3

< 2.49.3

< 52.7.0,1

< 52.7.0,2

< 52.7.0

The Mozilla Foundation reports of multiple security issues in Firefox, Seamonkey, and Thunderbird. Several of these issues can probably be used to run arbitrary code with the privilege of the user running the program.

• MFSA 2008-19 XUL popup spoofing variant (cross-tab popups)
• MFSA 2008-18 Java socket connection to any local port via LiveConnect
• MFSA 2008-17 Privacy issue with SSL Client Authentication
• MFSA 2008-16 HTTP Referrer spoofing with malformed URLs
• MFSA 2008-15 Crashes with evidence of memory corruption (rv:1.8.1.13)
• MFSA 2008-14 JavaScript privilege escalation and arbitrary code execution

< 2.0.0.13,1

< 2.0.0.13

< 1.1.9

< 1.1.1

gt 0

< 2.0.0.14

The Mozilla Project reports:

MFSA 2015-45 Memory corruption during failed plugin initialization

< 37.0.2,1

< 37.0.2,1

Mozilla Foundation reports:

MFSA 2016-01 Miscellaneous memory safety hazards (rv:44.0 / rv:38.6)

MFSA 2016-02 Out of Memory crash when parsing GIF format images

MFSA 2016-03 Buffer overflow in WebGL after out of memory allocation

MFSA 2016-04 Firefox allows for control characters to be set in cookie names

MFSA 2016-06 Missing delay following user click events in protocol handler dialog

MFSA 2016-09 Addressbar spoofing attacks

MFSA 2016-10 Unsafe memory manipulation found through code inspection

MFSA 2016-11 Application Reputation service disabled in Firefox 43

< 44.0,1

< 2.41

< 38.6.0,1

< 38.6.0

The Mozilla Foundation reports a vulnerability within the mozilla browser. This vulnerability also affects various other browsers like firefox and seamonkey. The vulnerability is caused by QuickTime Media-Link files that contain a qtnext attribute. This could allow an attacker to start the browser with arbitrary command-line options. This could allow the attacker to install malware, steal local data and possibly execute and/or do other arbitrary things within the users context.

< 2.0.0.7,1

< 2.0.0.7

< 1.1.5

< 3.0.a2007.12.12

< 2.0.a2007.12.12

gt 0

The Mozilla Project reports:

MFSA 2014-66 IFRAME sandbox same-origin access through redirect

MFSA 2014-65 Certificate parsing broken by non-standard character encoding

MFSA 2014-64 Crash in Skia library when scaling high quality images

MFSA 2014-63 Use-after-free while when manipulating certificates in the trusted cache

MFSA 2014-62 Exploitable WebGL crash with Cesium JavaScript library

MFSA 2014-61 Use-after-free with FireOnStateChange event

MFSA 2014-60 Toolbar dialog customization event spoofing

MFSA 2014-59 Use-after-free in DirectWrite font handling

MFSA 2014-58 Use-after-free in Web Audio due to incorrect control message ordering

MFSA 2014-57 Buffer overflow during Web Audio buffering for playback

MFSA 2014-56 Miscellaneous memory safety hazards (rv:31.0 / rv:24.7)

< 31.0,1

< 24.7.0,1

< 31.0,1

< 24.7.0

< 24.7.0

< 3.16.1_2

Mozilla Project reports:

MFSA 2009-38: Data corruption with SOCKS5 reply containing DNS name longer than 15 characters

MFSA 2009-42: Compromise of SSL-protected communication

MFSA 2009-43: Heap overflow in certificate regexp parsing

MFSA 2009-44: Location bar and SSL indicator spoofing via window.open() on invalid URL

MFSA 2009-45: Crashes with evidence of memory corruption (rv:1.9.1.2/1.9.0.13)

MFSA 2009-46: Chrome privilege escalation due to incorrectly cached wrapper

< 3.*,1

gt 3.*,1 lt 3.0.13,1

gt 3.5.*,1 lt 3.5.2,1

< 3.5.2

< 1.1.18

gt 0

< 2.0.0.23

Mozilla Foundation reports:

CVE-2018-12391: HTTP Live Stream audio data is accessible cross-origin

CVE-2018-12392: Crash with nested event loops

CVE-2018-12393: Integer overflow during Unicode conversion while loading JavaScript

CVE-2018-12395: WebExtension bypass of domain restrictions through header rewriting

CVE-2018-12396: WebExtension content scripts can execute in disallowed contexts

CVE-2018-12397:

CVE-2018-12398: CSP bypass through stylesheet injection in resource URIs

CVE-2018-12399: Spoofing of protocol registration notification bar

CVE-2018-12400: Favicons are cached in private browsing mode on Firefox for Android

CVE-2018-12401: DOS attack through special resource URI parsing

CVE-2018-12402: SameSite cookies leak when pages are explicitly saved

CVE-2018-12403: Mixed content warning is not displayed when HTTPS page loads a favicon over HTTP

CVE-2018-12388: Memory safety bugs fixed in Firefox 63

CVE-2018-12390: Memory safety bugs fixed in Firefox 63 and Firefox ESR 60.3

< 63.0_1,1

< 56.2.5

< 2.53.0

< 60.3.0,1

< 60.3.0,2

< 60.3.0

Mozilla Foundation reports:

CVE-2019-9811: Sandbox escape via installation of malicious language pack

CVE-2019-11711: Script injection within domain through inner window reuse

CVE-2019-11712: Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects

CVE-2019-11713: Use-after-free with HTTP/2 cached stream

CVE-2019-11714: NeckoChild can trigger crash when accessed off of main thread

CVE-2019-11729: Empty or malformed p256-ECDH public keys may trigger a segmentation fault

CVE-2019-11715: HTML parsing error can contribute to content XSS

CVE-2019-11716: globalThis not enumerable until accessed

CVE-2019-11717: Caret character improperly escaped in origins

CVE-2019-11718: Activity Stream writes unsanitized content to innerHTML

CVE-2019-11719: Out-of-bounds read when importing curve25519 private key

CVE-2019-11720: Character encoding XSS vulnerability

CVE-2019-11721: Domain spoofing through unicode latin 'kra' character

CVE-2019-11730: Same-origin policy treats all files in a directory as having the same-origin

CVE-2019-11723: Cookie leakage during add-on fetching across private browsing boundaries

CVE-2019-11724: Retired site input.mozilla.org has remote troubleshooting permissions

CVE-2019-11725: Websocket resources bypass safebrowsing protections

CVE-2019-11727: PKCS#1 v1.5 signatures can be used for TLS 1.3

CVE-2019-11728: Port scanning through Alt-Svc header

CVE-2019-11710: Memory safety bugs fixed in Firefox 68

CVE-2019-11709: Memory safety bugs fixed in Firefox 68 and Firefox ESR 60.8

< 68.0_4,1

< 56.2.12

< 2.53.0

< 60.8.0,1

< 60.8.0,2

< 60.8.0

Mozilla Foundation reports:

Security researcher Holger Fuhrmannek and Mozilla security engineer Tyson Smith reported a number of security vulnerabilities in the Graphite 2 library affecting version 1.3.5. The issue reported by Holger Fuhrmannek is a mechanism to induce stack corruption with a malicious graphite font. This leads to a potentially exploitable crash when the font is loaded. Tyson Smith used the Address Sanitizer tool in concert with a custom software fuzzer to find a series of uninitialized memory, out-of-bounds read, and out-of-bounds write errors when working with fuzzed graphite fonts.

Security researcher James Clawson used the Address Sanitizer tool to discover an out-of-bounds write in the Graphite 2 library when loading a crafted Graphite font file. This results in a potentially exploitable crash.

< 1.3.6

< 45.0,1

< 38.7.0

< 2.42

Mozilla Foundation reports:

CVE-2018-5091: Use-after-free with DTMF timers

CVE-2018-5092: Use-after-free in Web Workers

CVE-2018-5093: Buffer overflow in WebAssembly during Memory/Table resizing

CVE-2018-5094: Buffer overflow in WebAssembly with garbage collection on uninitialized memory

CVE-2018-5095: Integer overflow in Skia library during edge builder allocation

CVE-2018-5097: Use-after-free when source document is manipulated during XSLT

CVE-2018-5098: Use-after-free while manipulating form input elements

CVE-2018-5099: Use-after-free with widget listener

CVE-2018-5100: Use-after-free when IsPotentiallyScrollable arguments are freed from memory

CVE-2018-5101: Use-after-free with floating first-letter style elements

CVE-2018-5102: Use-after-free in HTML media elements

CVE-2018-5103: Use-after-free during mouse event handling

CVE-2018-5104: Use-after-free during font face manipulation

CVE-2018-5105: WebExtensions can save and execute files on local file system without user prompts

CVE-2018-5106: Developer Tools can expose style editor information cross-origin through service worker

CVE-2018-5107: Printing process will follow symlinks for local file access

CVE-2018-5108: Manually entered blob URL can be accessed by subsequent private browsing tabs

CVE-2018-5109: Audio capture prompts and starts with incorrect origin attribution

CVE-2018-5110: Cursor can be made invisible on OS X

CVE-2018-5111: URL spoofing in addressbar through drag and drop

CVE-2018-5112: Extension development tools panel can open a non-relative URL in the panel

CVE-2018-5113: WebExtensions can load non-HTTPS pages with browser.identity.launchWebAuthFlow

CVE-2018-5114: The old value of a cookie changed to HttpOnly remains accessible to scripts

CVE-2018-5115: Background network requests can open HTTP authentication in unrelated foreground tabs

CVE-2018-5116: WebExtension ActiveTab permission allows cross-origin frame content access

CVE-2018-5117: URL spoofing with right-to-left text aligned left-to-right

CVE-2018-5118: Activity Stream images can attempt to load local content through file:

CVE-2018-5119: Reader view will load cross-origin content in violation of CORS headers

CVE-2018-5121: OS X Tibetan characters render incompletely in the addressbar

CVE-2018-5122: Potential integer overflow in DoCrypt

CVE-2018-5090: Memory safety bugs fixed in Firefox 58

CVE-2018-5089: Memory safety bugs fixed in Firefox 58 and Firefox ESR 52.6

< 58.0_1,1

< 56.0.3.63

< 2.49.2

< 52.6.0_1,1

< 52.6.0,2

< 52.6.0

The Mozilla Foundation reports:

MFSA 2008-58 Parsing error in E4X default namespace

MFSA 2008-57 -moz-binding property bypasses security checks on codebase principals

MFSA 2008-56 nsXMLHttpRequest::NotifyEventListeners() same-origin violation

MFSA 2008-55 Crash and remote code execution in nsFrameManager

MFSA 2008-54 Buffer overflow in http-index-format parser

MFSA 2008-53 XSS and JavaScript privilege escalation via session restore

MFSA 2008-52 Crashes with evidence of memory corruption (rv:1.9.0.4/1.8.1.18)

MFSA 2008-51 file: URIs inherit chrome privileges when opened from chrome

MFSA 2008-50 Crash and remote code execution via __proto__ tampering

MFSA 2008-49 Arbitrary code execution via Flash Player dynamic module unloading

MFSA 2008-48 Image stealing via canvas and HTTP redirect

MFSA 2008-47 Information stealing via local shortcut files

MFSA 2008-46 Heap overflow when canceling newsgroup message

MFSA 2008-44 resource: traversal vulnerabilities

MFSA 2008-43 BOM characters stripped from JavaScript before execution

MFSA 2008-42 Crashes with evidence of memory corruption (rv:1.9.0.2/1.8.1.17)

MFSA 2008-41 Privilege escalation via XPCnativeWrapper pollution

MFSA 2008-38 nsXMLDocument::OnChannelRedirect() same-origin violation

MFSA 2008-37 UTF-8 URL stack buffer overflow

< 2.0.0.18,1

gt 3.*,1 lt 3.0.4,1

< 2.0.0.18

< 1.1.13

< 2.0.0.18

The Mozilla Project reports:

MFSA 2011-46 loadSubScript unwraps XPCNativeWrapper scope parameter (1.9.2 branch)

MFSA 2011-47 Potential XSS against sites using Shift-JIS

MFSA 2011-48 Miscellaneous memory safety hazards (rv:8.0)

MFSA 2011-49 Memory corruption while profiling using Firebug

MFSA 2011-50 Cross-origin data theft using canvas and Windows D2D

MFSA 2011-51 Cross-origin image theft on Mac with integrated Intel GPU

MFSA 2011-52 Code execution via NoWaiverWrapper

gt 4.0,1 lt 8.0,1

gt 3.6.*,1 lt 3.6.24,1

gt 1.9.2.* lt 1.9.2.24

< 8.0,1

< 8.0

gt 4.0 lt 8.0

< 3.1.16

The Mozilla Project reports:

MFSA 2012-74 Miscellaneous memory safety hazards (rv:16.0/ rv:10.0.8)

MFSA 2012-75 select element persistance allows for attacks

MFSA 2012-76 Continued access to initial origin after setting document.domain

MFSA 2012-77 Some DOMWindowUtils methods bypass security checks

MFSA 2012-78 Reader Mode pages have chrome privileges

MFSA 2012-79 DOS and crash with full screen and history navigation

MFSA 2012-80 Crash with invalid cast when using instanceof operator

MFSA 2012-81 GetProperty function can bypass security checks

MFSA 2012-82 top object and location property accessible by plugins

MFSA 2012-83 Chrome Object Wrapper (COW) does not disallow acces to privileged functions or properties

MFSA 2012-84 Spoofing and script injection through location.hash

MFSA 2012-85 Use-after-free, buffer overflow, and out of bounds read issues found using Address Sanitizer

MFSA 2012-86 Heap memory corruption issues found using Address Sanitizer

MFSA 2012-87 Use-after-free in the IME State Manager

MFSA 2012-88 Miscellaneous memory safety hazards (rv:16.0.1)

MFSA 2012-89 defaultValue security checks not applied

gt 11.0,1 lt 16.0.1,1

< 10.0.9,1

< 10.0.9,1

< 2.13.1

< 10.0.9

< 2.13.1

gt 11.0 lt 16.0.1

< 10.0.9

gt 1.9.2.* lt 10.0.9

The Mozilla Project reports:

MFSA 2014-34 Miscellaneous memory safety hazards (rv:29.0 / rv:24.5)

MFSA 2014-35 Privilege escalation through Mozilla Maintenance Service Installer

MFSA 2014-36 Web Audio memory corruption issues

MFSA 2014-37 Out of bounds read while decoding JPG images

MFSA 2014-38 Buffer overflow when using non-XBL object as XBL

MFSA 2014-39 Use-after-free in the Text Track Manager for HTML video

MFSA 2014-41 Out-of-bounds write in Cairo

MFSA 2014-42 Privilege escalation through Web Notification API

MFSA 2014-43 Cross-site scripting (XSS) using history navigations

MFSA 2014-44 Use-after-free in imgLoader while resizing images

MFSA 2014-45 Incorrect IDNA domain name matching for wildcard certificates

MFSA 2014-46 Use-after-free in nsHostResolve

MFSA 2014-47 Debugger can bypass XrayWrappers with JavaScript

< 29.0,1

< 24.5.0,1

< 29.0,1

< 2.26

< 24.5.0

< 2.26

< 24.5.0

The Mozilla Project reports:

MFSA 2015-44 Certificate verification bypass through the HTTP/2 Alt-Svc header

MFSA 2015-43 Loading privileged content through Reader mode

< 37.0.1,1

< 37.0.1,1

Mozilla Foundation reports:

CVE-2016-9894: Buffer overflow in SkiaGL

CVE-2016-9899: Use-after-free while manipulating DOM events and audio elements

CVE-2016-9895: CSP bypass using marquee tag

CVE-2016-9896: Use-after-free with WebVR

CVE-2016-9897: Memory corruption in libGLES

CVE-2016-9898: Use-after-free in Editor while manipulating DOM subtrees

CVE-2016-9900: Restricted external resources can be loaded by SVG images through data URLs

CVE-2016-9904: Cross-origin information leak in shared atoms

CVE-2016-9901: Data from Pocket server improperly sanitized before execution

CVE-2016-9902: Pocket extension does not validate the origin of events

CVE-2016-9903: XSS injection vulnerability in add-ons SDK

CVE-2016-9080: Memory safety bugs fixed in Firefox 50.1

CVE-2016-9893: Memory safety bugs fixed in Firefox 50.1 and Firefox ESR 45.6

< 50.1.0_1,1

< 2.47

< 45.6.0,1

< 45.6.0,2

< 45.6.0

Mozilla Project reports:

MFSA 2010-24 XMLDocument::load() doesn't check nsIContentPolicy

MFSA 2010-23 Image src redirect to mailto: URL opens email editor

MFSA 2010-22 Update NSS to support TLS renegotiation indication

MFSA 2010-21 Arbitrary code execution with Firebug XMLHttpRequestSpy

MFSA 2010-20 Chrome privilege escalation via forced URL drag and drop

MFSA 2010-19 Dangling pointer vulnerability in nsPluginArray

MFSA 2010-18 Dangling pointer vulnerability in nsTreeContentView

MFSA 2010-17 Remote code execution with use-after-free in nsTreeSelection

MFSA 2010-16 Crashes with evidence of memory corruption (rv:1.9.2.2/ 1.9.1.9/ 1.9.0.19)

gt 2.0 lt 2.0.4

ge 3.0 lt 3.0.4

gt 3.5.*,1 lt 3.5.9,1

gt 3.*,1 lt 3.0.19,1

< 3.0.19,1

< 3.5.9

< 3.12.5

Mozilla Foundation reports:

CVE-2017-7828: Use-after-free of PressShell while restyling layout

CVE-2017-7830: Cross-origin URL information leak through Resource Timing API

CVE-2017-7831: Information disclosure of exposed properties on JavaScript proxy objects

CVE-2017-7832: Domain spoofing through use of dotless 'i' character followed by accent markers

CVE-2017-7833: Domain spoofing with Arabic and Indic vowel marker characters

CVE-2017-7834: data: URLs opened in new tabs bypass CSP protections

CVE-2017-7835: Mixed content blocking incorrectly applies with redirects

CVE-2017-7836: Pingsender dynamically loads libcurl on Linux and OS X

CVE-2017-7837: SVG loaded as can use meta tags to set cookies

CVE-2017-7838: Failure of individual decoding of labels in international domain names triggers punycode display of entire IDN

CVE-2017-7839: Control characters before javascript: URLs defeats self-XSS prevention mechanism

CVE-2017-7840: Exported bookmarks do not strip script elements from user-supplied tags

CVE-2017-7842: Referrer Policy is not always respected for elements

CVE-2017-7827: Memory safety bugs fixed in Firefox 57

CVE-2017-7826: Memory safety bugs fixed in Firefox 57 and Firefox ESR 52.5

< 56.0.2_10,1

< 2.49.2

< 52.5.0,1

< 52.5.0,2

< 52.5.0

Mozilla Foundation reports:

MFSA 2009-22: Firefox allows Refresh header to redirect to javascript: URIs

MFSA 2009-21: POST data sent to wrong site when saving web page with embedded frame

MFSA 2009-20: Malicious search plugins can inject code into arbitrary sites

MFSA 2009-19: Same-origin violations in XMLHttpRequest and XPCNativeWrapper.toString

MFSA 2009-18: XSS hazard using third-party stylesheets and XBL bindings

MFSA 2009-17: Same-origin violations when Adobe Flash loaded via view-source: scheme

MFSA 2009-16: jar: scheme ignores the content-disposition: header on the inner URI

MFSA 2009-15: URL spoofing with box drawing character

MFSA 2009-14 Crashes with evidence of memory corruption (rv:1.9.0.9)

< 2.0.0.20_7,1

gt 3.*,1 lt 3.0.9,1

< 3.0.9

gt 0

< 1.1.17

< 2.0.0.22

RedHat reports:

Several flaws were found in the way in which Firefox displayed malformed web content. A web page containing specially-crafted content could potentially trick a user into surrendering sensitive information. (CVE-2007-1095, CVE-2007-3844, CVE-2007-3511, CVE-2007-5334)

< 2.0.0.8,1

< 2.0.0.8

< 1.1.5

The Mozilla Project reports:

MFSA-2015-01 Miscellaneous memory safety hazards (rv:35.0 / rv:31.4)

MFSA-2015-02 Uninitialized memory use during bitmap rendering

MFSA-2015-03 sendBeacon requests lack an Origin header

MFSA-2015-04 Cookie injection through Proxy Authenticate responses

MFSA-2015-05 Read of uninitialized memory in Web Audio

MFSA-2015-06 Read-after-free in WebRTC

MFSA-2015-07 Gecko Media Plugin sandbox escape

MFSA-2015-08 Delegated OCSP responder certificates failure with id-pkix-ocsp-nocheck extension

MFSA-2015-09 XrayWrapper bypass through DOM objects

< 35.0,1

< 31.4.0,1

< 35.0,1

< 2.32

< 31.4.0

< 2.32

< 31.4.0

< 31.4.0

The Mozilla Project reports:

MFSA 2011-29 Security issues addressed in Firefox 6

MFSA 2011-28 Security issues addressed in Firefox 3.6.20

gt 3.6.*,1 lt 3.6.20,1

gt 5.0.*,1 lt 6.0,1

< 2.3

< 3.6.20,1

< 3.1.12

< 3.1.12

Mozilla Foundation reports:

MFSA 2009-64 Crashes with evidence of memory corruption (rv:1.9.1.4/ 1.9.0.15)

MFSA 2009-63 Upgrade media libraries to fix memory safety bugs

MFSA 2009-62 Download filename spoofing with RTL override

MFSA 2009-61 Cross-origin data theft through document.getSelection()

MFSA 2009-59 Heap buffer overflow in string to number conversion

MFSA 2009-57 Chrome privilege escalation in XPCVariant::VariantDataToJS()

MFSA 2009-56 Heap buffer overflow in GIF color map parser

MFSA 2009-55 Crash in proxy auto-configuration regexp parsing

MFSA 2009-54 Crash with recursive web-worker calls

MFSA 2009-53 Local downloaded file tampering

MFSA 2009-52 Form history vulnerable to stealing

gt 3.5.*,1 lt 3.5.4,1

gt 3.*,1 lt 3.0.15,1

< 3.0.15

< 2.0

Mozilla Foundation reports:

CVE-2016-2827 - Out-of-bounds read in mozilla::net::IsValidReferrerPolicy [low]

CVE-2016-5256 - Memory safety bugs fixed in Firefox 49 [critical]

CVE-2016-5257 - Memory safety bugs fixed in Firefox 49 and Firefox ESR 45.4 [critical]

CVE-2016-5270 - Heap-buffer-overflow in nsCaseTransformTextRunFactory::TransformString [high]

CVE-2016-5271 - Out-of-bounds read in PropertyProvider::GetSpacingInternal [low]

CVE-2016-5272 - Bad cast in nsImageGeometryMixin [high]

CVE-2016-5273 - crash in mozilla::a11y::HyperTextAccessible::GetChildOffset [high]

CVE-2016-5274 - use-after-free in nsFrameManager::CaptureFrameState [high]

CVE-2016-5275 - global-buffer-overflow in mozilla::gfx::FilterSupport::ComputeSourceNeededRegions [critical]

CVE-2016-5276 - Heap-use-after-free in mozilla::a11y::DocAccessible::ProcessInvalidationList [high]

CVE-2016-5277 - Heap-use-after-free in nsRefreshDriver::Tick [high]

CVE-2016-5278 - Heap-buffer-overflow in nsBMPEncoder::AddImageFrame [critical]

CVE-2016-5279 - Full local path of files is available to web pages after drag and drop [moderate]

CVE-2016-5280 - Use-after-free in mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap [high]

CVE-2016-5281 - use-after-free in DOMSVGLength [high]

CVE-2016-5282 - Don't allow content to request favicons from non-whitelisted schemes [moderate]

CVE-2016-5283 -