Mozilla Foundation reports:

Please reference CVE/URL list for details

< 55.0,1

< 2.49.1

< 52.3.0,1

< 52.3.0,2

< 52.3.0

Mozilla Foundation reports:

CVE-2018-12377: Use-after-free in refresh driver timers

CVE-2018-12378: Use-after-free in IndexedDB

CVE-2018-12379: Out-of-bounds write with malicious MAR file

CVE-2017-16541: Proxy bypass using automount and autofs

CVE-2018-12381: Dragging and dropping Outlook email message results in page navigation

CVE-2018-12382: Addressbar spoofing with javascript URI on Firefox for Android

CVE-2018-12383: Setting a master password post-Firefox 58 does not delete unencrypted previously stored passwords

CVE-2018-12375: Memory safety bugs fixed in Firefox 62

CVE-2018-12376: Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2

< 62.0_1,1

< 56.2.3

< 2.49.5

< 60.2.0_1,1

< 60.2.0,2

< 60.2

Mozilla Foundation reports:

CVE-2018-12391: HTTP Live Stream audio data is accessible cross-origin

CVE-2018-12392: Crash with nested event loops

CVE-2018-12393: Integer overflow during Unicode conversion while loading JavaScript

CVE-2018-12395: WebExtension bypass of domain restrictions through header rewriting

CVE-2018-12396: WebExtension content scripts can execute in disallowed contexts

CVE-2018-12397:

CVE-2018-12398: CSP bypass through stylesheet injection in resource URIs

CVE-2018-12399: Spoofing of protocol registration notification bar

CVE-2018-12400: Favicons are cached in private browsing mode on Firefox for Android

CVE-2018-12401: DOS attack through special resource URI parsing

CVE-2018-12402: SameSite cookies leak when pages are explicitly saved

CVE-2018-12403: Mixed content warning is not displayed when HTTPS page loads a favicon over HTTP

CVE-2018-12388: Memory safety bugs fixed in Firefox 63

CVE-2018-12390: Memory safety bugs fixed in Firefox 63 and Firefox ESR 60.3

< 63.0_1,1

< 56.2.5

< 2.53.0

< 60.3.0,1

< 60.3.0,2

< 60.3.0

Mozilla Foundation reports:

CVE-2018-5127: Buffer overflow manipulating SVG animatedPathSegList

CVE-2018-5128: Use-after-free manipulating editor selection ranges

CVE-2018-5129: Out-of-bounds write with malformed IPC messages

CVE-2018-5130: Mismatched RTP payload type can trigger memory corruption

CVE-2018-5131: Fetch API improperly returns cached copies of no-store/no-cache resources

CVE-2018-5132: WebExtension Find API can search privileged pages

CVE-2018-5133: Value of the app.support.baseURL preference is not properly sanitized

CVE-2018-5134: WebExtensions may use view-source: URLs to bypass content restrictions

CVE-2018-5135: WebExtension browserAction can inject scripts into unintended contexts

CVE-2018-5136: Same-origin policy violation with data: URL shared workers

CVE-2018-5137: Script content can access legacy extension non-contentaccessible resources

CVE-2018-5138: Android Custom Tab address spoofing through long domain names

CVE-2018-5140: Moz-icon images accessible to web content through moz-icon: protocol

CVE-2018-5141: DOS attack through notifications Push API

CVE-2018-5142: Media Capture and Streams API permissions display incorrect origin with data: and blob: URLs

CVE-2018-5143: Self-XSS pasting javascript: URL with embedded tab into addressbar

CVE-2018-5126: Memory safety bugs fixed in Firefox 59

CVE-2018-5125: Memory safety bugs fixed in Firefox 59 and Firefox ESR 52.7

< 59.0_1,1

< 56.0.4.36_3

< 2.49.3

< 52.7.0,1

< 52.7.0,2

< 52.7.0

The Mozilla Foundation reports:

A use-after-free vulnerability in SVG Animation has been discovered. An exploit built on this vulnerability has been discovered in the wild targeting Firefox and Tor Browser users on Windows.

< 50.0.2,1

< 45.5.1,1

< 45.5.1,2

< 2.46

< 2.46

< 45.5.1

< 45.5.1

< 45.5.1

Mozilla Foundation reports:

Please reference CVE/URL list for details

< 52.0_1,1

< 2.49

ge 46.0,1 lt 52.0,1

< 45.8.0_1,1

ge 46.0,2 lt 52.0,2

< 45.8.0_1,2

ge 46.0 lt 52.0

< 45.8.0_1

ge 46.0 lt 52.0

< 45.8.0

Mozilla Foundation reports:

CVE-2019-9815: Disable hyperthreading on content JavaScript threads on macOS

CVE-2019-9816: Type confusion with object groups and UnboxedObjects

CVE-2019-9817: Stealing of cross-domain images using canvas

CVE-2019-9818: Use-after-free in crash generation server

CVE-2019-9819: Compartment mismatch with fetch API

CVE-2019-9820: Use-after-free of ChromeEventHandler by DocShell

CVE-2019-9821: Use-after-free in AssertWorkerThread

CVE-2019-11691: Use-after-free in XMLHttpRequest

CVE-2019-11692: Use-after-free removing listeners in the event listener manager

CVE-2019-11693: Buffer overflow in WebGL bufferdata on Linux

CVE-2019-7317: Use-after-free in png_image_free of libpng library

CVE-2019-11694: Uninitialized memory memory leakage in Windows sandbox

CVE-2019-11695: Custom cursor can render over user interface outside of web content

CVE-2019-11696: Java web start .JNLP files are not recognized as executable files for download prompts

CVE-2019-11697: Pressing key combinations can bypass installation prompt delays and install extensions

CVE-2019-11698: Theft of user history data through drag and drop of hyperlinks to and from bookmarks

CVE-2019-11700: res: protocol can be used to open known local files

CVE-2019-11699: Incorrect domain name highlighting during page navigation

CVE-2019-11701: webcal: protocol default handler loads vulnerable web page

CVE-2019-9814: Memory safety bugs fixed in Firefox 67

CVE-2019-9800: Memory safety bugs fixed in Firefox 67 and Firefox ESR 60.7

< 67.0,1

< 56.2.10

< 2.53.0

< 60.7.0,1

< 60.7.0,2

< 60.7.0

The Mozilla Foundation reports:

Redirection from an HTTP connection to a data: URL assigns the referring site's origin to the data: URL in some circumstances. This can result in same-origin violations against a domain if it loads resources from malicious sites. Cross-origin setting of cookies has been demonstrated without the ability to read them.

< 50.0.1,1

Mozilla Foundation reports:

CVE-2019-11751: Malicious code execution through command line parameters

CVE-2019-11746: Use-after-free while manipulating video

CVE-2019-11744: XSS by breaking out of title and textarea elements using innerHTML

CVE-2019-11742: Same-origin policy violation with SVG filters and canvas to steal cross-origin images

CVE-2019-11736: File manipulation and privilege escalation in Mozilla Maintenance Service

CVE-2019-11753: Privilege escalation with Mozilla Maintenance Service in custom Firefox installation location

CVE-2019-11752: Use-after-free while extracting a key value in IndexedDB

CVE-2019-9812: Sandbox escape through Firefox Sync

CVE-2019-11741: Isolate addons.mozilla.org and accounts.firefox.com

CVE-2019-11743: Cross-origin access to unload event attributes

CVE-2019-11748: Persistence of WebRTC permissions in a third party context

CVE-2019-11749: Camera information available without prompting using getUserMedia

CVE-2019-5849: Out-of-bounds read in Skia

CVE-2019-11750: Type confusion in Spidermonkey

CVE-2019-11737: Content security policy directives ignore port and path if host is a wildcard

CVE-2019-11738: Content security policy bypass through hash-based sources in directives

CVE-2019-11747: 'Forget about this site' removes sites from pre-loaded HSTS list

CVE-2019-11734: Memory safety bugs fixed in Firefox 69

CVE-2019-11735: Memory safety bugs fixed in Firefox 69 and Firefox ESR 68.1

CVE-2019-11740: Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox ESR 60.9

< 69.0,1

< 56.2.14

< 2.53.0

ge 61.0,1 lt 68.1.0,1

< 60.9.0,1

ge 61.0,2 lt 68.1.0,2

< 60.9.0,2

ge 61.0 lt 68.1.0

< 60.9.0

Mozilla Foundation reports:

Please reference CVE/URL list for details

< 50.0_1,1

< 2.47

< 45.5.0,1

< 45.5.0,2

< 45.5.0

The Mozilla Foundation reports:

CVE-2018-5148: Use-after-free in compositor

A use-after-free vulnerability can occur in the compositor during certain graphics operations when a raw pointer is used instead of a reference counted one. This results in a potentially exploitable crash.

< 59.0.2,1

< 56.0.4.36_3

< 2.49.3

< 52.7.3,1

< 52.7.3,2

< 52.7.3

< 52.7.1

< 52.7.0_1

Mozilla Foundation reports:

CVE-2019-11733: Stored passwords in 'Saved Logins' can be copied without master password entry

When a master password is set, it is required to be entered again before stored passwords can be accessed in the 'Saved Logins' dialog. It was found that locally stored passwords can be copied to the clipboard thorough the 'copy password' context menu item without re-entering the master password if the master password had been previously entered in the same session, allowing for potential theft of stored passwords.

< 1.28.2

< 68.0.2,1

Mozilla Foundation reports:

CVE-2018-12407: Buffer overflow with ANGLE library when using VertexBuffer11 module

CVE-2018-17466: Buffer overflow and out-of-bounds read in ANGLE library with TextureStorage11

CVE-2018-18492: Use-after-free with select element

CVE-2018-18493: Buffer overflow in accelerated 2D canvas with Skia

CVE-2018-18494: Same-origin policy violation using location attribute and performance.getEntries to steal cross-origin URLs

CVE-2018-18495: WebExtension content scripts can be loaded in about: pages

CVE-2018-18496: Embedded feed preview page can be abused for clickjacking

CVE-2018-18497: WebExtensions can load arbitrary URLs through pipe separators

CVE-2018-18498: Integer overflow when calculating buffer sizes for images

CVE-2018-12406: Memory safety bugs fixed in Firefox 64

CVE-2018-12405: Memory safety bugs fixed in Firefox 64 and Firefox ESR 60.4

< 64.0_3,1

< 56.2.6

< 2.53.0

< 60.4.0,1

< 60.4.0,2

< 60.4.0

Mozilla Foundation reports:

CVE-2017-7843: Web worker in Private Browsing mode can write IndexedDB data

CVE-2017-7844: Visited history information leak through SVG image

ge 57.0,1 lt 57.0.1,1

< 56.0.2_11,1

< 56.0.s20171130

< 2.49.2

< 52.5.1,1

< 52.5.1,2

Mozilla Foundation reports:

CVE-2018-12359: Buffer overflow using computed size of canvas element

CVE-2018-12360: Use-after-free when using focus()

CVE-2018-12361: Integer overflow in SwizzleData

CVE-2018-12358: Same-origin bypass using service worker and redirection

CVE-2018-12362: Integer overflow in SSSE3 scaler

CVE-2018-5156: Media recorder segmentation fault when track type is changed during capture

CVE-2018-12363: Use-after-free when appending DOM nodes

CVE-2018-12364: CSRF attacks through 307 redirects and NPAPI plugins

CVE-2018-12365: Compromised IPC child process can list local filenames

CVE-2018-12371: Integer overflow in Skia library during edge builder allocation

CVE-2018-12366: Invalid data handling during QCMS transformations

CVE-2018-12367: Timing attack mitigation of PerformanceNavigationTiming

CVE-2018-12368: No warning when opening executable SettingContent-ms files

CVE-2018-12369: WebExtension security permission checks bypassed by embedded experiments

CVE-2018-12370: SameSite cookie protections bypassed when exiting Reader View

CVE-2018-5186: Memory safety bugs fixed in Firefox 61

CVE-2018-5187: Memory safety bugs fixed in Firefox 60 and Firefox ESR 60.1

CVE-2018-5188: Memory safety bugs fixed in Firefox 60, Firefox ESR 60.1, and Firefox ESR 52.9

< 61.0_1,1

< 56.2.1.19_2

< 2.49.4

ge 60.0,1 lt 60.1.0_1,1

< 52.9.0_1,1

< 52.9.0,2

< 52.9.0

The Mozilla Foundation reports:

An integer overflow in createImageBitmap() was reported through the Pwn2Own contest. The fix for this vulnerability disables the experimental extensions to the createImageBitmap API. This function runs in the content sandbox, requiring a second vulnerability to compromise a user's computer.

< 52.0.1,1

The Mozilla Project reports:

MFSA 2015-134 Miscellaneous memory safety hazards (rv:43.0 / rv:38.5)

MFSA 2015-135 Crash with JavaScript variable assignment with unboxed objects

MFSA 2015-136 Same-origin policy violation using perfomance.getEntries and history navigation

MFSA 2015-137 Firefox allows for control characters to be set in cookies

MFSA 2015-138 Use-after-free in WebRTC when datachannel is used after being destroyed

MFSA 2015-139 Integer overflow allocating extremely large textures

MFSA 2015-140 Cross-origin information leak through web workers error events

MFSA 2015-141 Hash in data URI is incorrectly parsed

MFSA 2015-142 DOS due to malformed frames in HTTP/2

MFSA 2015-143 Linux file chooser crashes on malformed images due to flaws in Jasper library

MFSA 2015-144 Buffer overflows found through code inspection

MFSA 2015-145 Underflow through code inspection

MFSA 2015-146 Integer overflow in MP4 playback in 64-bit versions

MFSA 2015-147 Integer underflow and buffer overflow processing MP4 metadata in libstagefright

MFSA 2015-148 Privilege escalation vulnerabilities in WebExtension APIs

MFSA 2015-149 Cross-site reading attack through data and view-source URIs

< 43.0,1

< 43.0,1

< 2.40

< 2.40

< 38.5.0,1

< 38.5.0

< 38.5.0

< 38.5.0

Mozilla Foundation reports:

CVE-2017-7828: Use-after-free of PressShell while restyling layout

CVE-2017-7830: Cross-origin URL information leak through Resource Timing API

CVE-2017-7831: Information disclosure of exposed properties on JavaScript proxy objects

CVE-2017-7832: Domain spoofing through use of dotless 'i' character followed by accent markers

CVE-2017-7833: Domain spoofing with Arabic and Indic vowel marker characters

CVE-2017-7834: data: URLs opened in new tabs bypass CSP protections

CVE-2017-7835: Mixed content blocking incorrectly applies with redirects

CVE-2017-7836: Pingsender dynamically loads libcurl on Linux and OS X

CVE-2017-7837: SVG loaded as can use meta tags to set cookies

CVE-2017-7838: Failure of individual decoding of labels in international domain names triggers punycode display of entire IDN

CVE-2017-7839: Control characters before javascript: URLs defeats self-XSS prevention mechanism

CVE-2017-7840: Exported bookmarks do not strip script elements from user-supplied tags

CVE-2017-7842: Referrer Policy is not always respected for elements

CVE-2017-7827: Memory safety bugs fixed in Firefox 57

CVE-2017-7826: Memory safety bugs fixed in Firefox 57 and Firefox ESR 52.5

< 56.0.2_10,1

< 2.49.2

< 52.5.0,1

< 52.5.0,2

< 52.5.0

Mozilla Foundation reports:

CVE-2019-11708: sandbox escape using Prompt:Open

Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the user's computer.

< 67.0.4,1

< 56.2.12

< 60.7.2,1

Mozilla Foundation reports:

CVE-2016-5287: Crash in nsTArray_base::SwapArrayElements

CVE-2016-5288: Web content can read cache entries

< 49.0.2,1

Mozilla Foundation reports:

CVE-2018-12386: Type confusion in JavaScript

A vulnerability in register allocation in JavaScript can lead to type confusion, allowing for an arbitrary read and write. This leads to remote code execution inside the sandboxed content process when triggered.

CVE-2018-12387:

A vulnerability where the JavaScript JIT compiler inlines Array.prototype.push with multiple arguments that results in the stack pointer being off by 8 bytes after a bailout. This leaks a memory address to the calling function which can be used as part of an exploit inside the sandboxed content process.

< 62.0.3,1

< 56.2.4

< 2.53.0

< 60.2.2,1

< 60.2.2,2

< 60.2.2

Mozilla Foundation reports:

CVE-2019-11707: Type confusion in Array.pop

A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw.

< 67.0.3,1

< 56.2.11

< 60.7.1,1

Firefox Developers report:

Security researcher Abdulrahman Alqabandi reported that the fetch() API did not correctly implement the Cross-Origin Resource Sharing (CORS) specification, allowing a malicious page to access private data from other origins. Mozilla developer Ben Kelly independently reported the same issue.

< 41.0.2,1

< 41.0.2,1

Mozilla Foundation reports:

CVE-2018-18500: Use-after-free parsing HTML5 stream

CVE-2018-18503: Memory corruption with Audio Buffer

CVE-2018-18504: Memory corruption and out-of-bounds read of texture client buffer

CVE-2018-18505: Privilege escalation through IPC channel messages

CVE-2018-18506: Proxy Auto-Configuration file can define localhost access to be proxied

CVE-2018-18502: Memory safety bugs fixed in Firefox 65

CVE-2018-18501: Memory safety bugs fixed in Firefox 65 and Firefox ESR 60.5

< 65.0_1,1

< 56.2.7

< 2.53.0

< 60.5.0_1,1

< 60.5.0,2

< 60.5.0

Google Chrome Releases reports:

[583607] High CVE-2016-1624: Buffer overflow in Brotli. Credit to lukezli.

Mozilla Foundation reports:

Security researcher Luke Li reported a pointer underflow bug in the Brotli library's decompression that leads to a buffer overflow. This results in a potentially exploitable crash when triggered.

ge 0.3.0 lt 0.3.0_1

< 0.2.0_2

< 0.3.0_3

< 48.0.2564.109

< 45.0,1

< 2.42

< 38.7.0,1

< 38.7.0

Mozilla Foundation reports:

Please reference CVE/URL list for details

< 51.0_1,1

< 2.48

< 45.7.0,1

< 45.7.0,2

< 45.7.0

The Mozilla Foundation reports:

Mozilla developer Johann Hofmann reported that unsanitized output in the browser UI can lead to arbitrary code execution.

< 58.0.1,1

< 56.0.3.65

Mozilla Foundation reports:

MFSA 2016-39 Miscellaneous memory safety hazards (rv:46.0 / rv:45.1 / rv:38.8)

MFSA 2016-42 Use-after-free and buffer overflow in Service Workers

MFSA 2016-44 Buffer overflow in libstagefright with CENC offsets

MFSA 2016-45 CSP not applied to pages sent with multipart/x-mixed-replace

MFSA 2016-46 Elevation of privilege with chrome.tabs.update API in web extensions

MFSA 2016-47 Write to invalid HashMap entry through JavaScript.watch()

MFSA 2016-48 Firefox Health Reports could accept events from untrusted domains

< 46.0,1

< 2.43

ge 39.0,1 lt 45.1.0,1

< 38.8.0,1

ge 39.0 lt 45.1.0

< 38.8.0

The Mozilla Project reports:

MFSA 2015-133 NSS and NSPR memory corruption issues

MFSA 2015-132 Mixed content WebSocket policy bypass through workers

MFSA 2015-131 Vulnerabilities found through code inspection

MFSA 2015-130 JavaScript garbage collection crash with Java applet

MFSA 2015-129 Certain escaped characters in host of Location-header are being treated as non-escaped

MFSA 2015-128 Memory corruption in libjar through zip files

MFSA 2015-127 CORS preflight is bypassed when non-standard Content-Type headers are received

MFSA 2015-126 Crash when accessing HTML tables with accessibility tools on OS X

MFSA 2015-125 XSS attack through intents on Firefox for Android

MFSA 2015-124 Android intents can be used on Firefox for Android to open privileged files

MFSA 2015-123 Buffer overflow during image interactions in canvas

MFSA 2015-122 Trailing whitespace in IP address hostnames can bypass same-origin policy

MFSA 2015-121 Disabling scripts in Add-on SDK panels has no effect

MFSA 2015-120 Reading sensitive profile files through local HTML file on Android

MFSA 2015-119 Firefox for Android addressbar can be removed after fullscreen mode

MFSA 2015-118 CSP bypass due to permissive Reader mode whitelist

MFSA 2015-117 Information disclosure through NTLM authentication

MFSA 2015-116 Miscellaneous memory safety hazards (rv:42.0 / rv:38.4)

< 4.10.10

< 4.10.10

ge 3.20 lt 3.20.1

ge 3.19.3 lt 3.19.4

< 3.19.2.1

< 42.0,1

< 42.0,1

< 2.39

< 2.39

< 38.4.0,1

< 38.4.0

< 38.4.0

< 38.4.0

Mozilla Foundation reports:

CVE-2016-2827 - Out-of-bounds read in mozilla::net::IsValidReferrerPolicy [low]

CVE-2016-5256 - Memory safety bugs fixed in Firefox 49 [critical]

CVE-2016-5257 - Memory safety bugs fixed in Firefox 49 and Firefox ESR 45.4 [critical]

CVE-2016-5270 - Heap-buffer-overflow in nsCaseTransformTextRunFactory::TransformString [high]

CVE-2016-5271 - Out-of-bounds read in PropertyProvider::GetSpacingInternal [low]

CVE-2016-5272 - Bad cast in nsImageGeometryMixin [high]

CVE-2016-5273 - crash in mozilla::a11y::HyperTextAccessible::GetChildOffset [high]

CVE-2016-5274 - use-after-free in nsFrameManager::CaptureFrameState [high]

CVE-2016-5275 - global-buffer-overflow in mozilla::gfx::FilterSupport::ComputeSourceNeededRegions [critical]

CVE-2016-5276 - Heap-use-after-free in mozilla::a11y::DocAccessible::ProcessInvalidationList [high]

CVE-2016-5277 - Heap-use-after-free in nsRefreshDriver::Tick [high]

CVE-2016-5278 - Heap-buffer-overflow in nsBMPEncoder::AddImageFrame [critical]

CVE-2016-5279 - Full local path of files is available to web pages after drag and drop [moderate]

CVE-2016-5280 - Use-after-free in mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap [high]

CVE-2016-5281 - use-after-free in DOMSVGLength [high]

CVE-2016-5282 - Don't allow content to request favicons from non-whitelisted schemes [moderate]

CVE-2016-5283 -