The Mozilla Project reports:

MFSA 2013-30 Miscellaneous memory safety hazards (rv:20.0 / rv:17.0.5)

MFSA 2013-31 Out-of-bounds write in Cairo library

MFSA 2013-32 Privilege escalation through Mozilla Maintenance Service

MFSA 2013-33 World read and write access to app_tmp directory on Android

MFSA 2013-34 Privilege escalation through Mozilla Updater

MFSA 2013-35 WebGL crash with Mesa graphics driver on Linux

MFSA 2013-36 Bypass of SOW protections allows cloning of protected nodes

MFSA 2013-37 Bypass of tab-modal dialog origin disclosure

MFSA 2013-38 Cross-site scripting (XSS) using timed history navigations

MFSA 2013-39 Memory corruption while rendering grayscale PNG images

MFSA 2013-40 Out-of-bounds array read in CERT_DecodeCertPackage

gt 18.0,1 lt 20.0,1

< 17.0.5,1

< 17.0.5,1

< 2.17

< 17.0.5

< 2.17

gt 11.0 lt 17.0.5

Mozilla Foundation reports:

Please reference CVE/URL list for details

< 50.0_1,1

< 2.47

< 45.5.0,1

< 45.5.0,2

< 45.5.0

The Mozilla Project reports:

MFSA 2013-116 JPEG information leak

MFSA 2013-105 Application Installation doorhanger persists on navigation

MFSA 2013-106 Character encoding cross-origin XSS attack

MFSA 2013-107 Sandbox restrictions not applied to nested object elements

MFSA 2013-108 Use-after-free in event listeners

MFSA 2013-109 Use-after-free during Table Editing

MFSA 2013-110 Potential overflow in JavaScript binary search algorithms

MFSA 2013-111 Segmentation violation when replacing ordered list elements

MFSA 2013-112 Linux clipboard information disclosure though selection paste

MFSA 2013-113 Trust settings for built-in roots ignored during EV certificate validation

MFSA 2013-114 Use-after-free in synthetic mouse movement

MFSA 2013-115 GetElementIC typed array stubs can be generated outside observed typesets

MFSA 2013-116 JPEG information leak

MFSA 2013-117 Mis-issued ANSSI/DCSSI certificate

gt 25.0,1 lt 26.0,1

< 24.2.0,1

< 26.0,1

< 2.23

< 24.2.0

< 2.23

< 24.2.0

The Mozilla Foundation reports:

MFSA 2016-13 Jason Pang of OneSignal reported that service workers intercept responses to plugin network requests made through the browser. Plugins which make security decisions based on the content of network requests can have these decisions subverted if a service worker forges responses to those requests. For example, a forged crossdomain.xml could allow a malicious site to violate the same-origin policy using the Flash plugin.

< 44.0.2,1

< 44.0.2,1

The Mozilla Project reports:

MFSA 2012-42 Miscellaneous memory safety hazards (rv:14.0/ rv:10.0.6)

MFSA 2012-43 Incorrect URL displayed in addressbar through drag and drop

MFSA 2012-44 Gecko memory corruption

MFSA 2012-45 Spoofing issue with location

MFSA 2012-46 XSS through data: URLs

MFSA 2012-47 Improper filtering of javascript in HTML feed-view

MFSA 2012-48 use-after-free in nsGlobalWindow::PageHidden

MFSA 2012-49 Same-compartment Security Wrappers can be bypassed

MFSA 2012-50 Out of bounds read in QCMS

MFSA 2012-51 X-Frame-Options header ignored when duplicated

MFSA 2012-52 JSDependentString::undepend string conversion results in memory corruption

MFSA 2012-53 Content Security Policy 1.0 implementation errors cause data leakage

MFSA 2012-54 Clickjacking of certificate warning page

MFSA 2012-55 feed: URLs with an innerURI inherit security context of page

MFSA 2012-56 Code execution through javascript: URLs

gt 11.0,1 lt 14.0.1,1

< 10.0.6,1

< 10.0.6,1

< 2.11

< 10.0.6

< 2.11

gt 11.0 lt 14.0

< 10.0.6

gt 1.9.2.* lt 10.0.6

The Mozilla Project reports:

MFSA 2012-91 Miscellaneous memory safety hazards (rv:17.0/ rv:10.0.11)

MFSA 2012-92 Buffer overflow while rendering GIF images

MFSA 2012-93 evalInSanbox location context incorrectly applied

MFSA 2012-94 Crash when combining SVG text on path with CSS

MFSA 2012-95 Javascript: URLs run in privileged context on New Tab page

MFSA 2012-96 Memory corruption in str_unescape

MFSA 2012-97 XMLHttpRequest inherits incorrect principal within sandbox

MFSA 2012-98 Firefox installer DLL hijacking

MFSA 2012-99 XrayWrappers exposes chrome-only properties when not in chrome compartment

MFSA 2012-100 Improper security filtering for cross-origin wrappers

MFSA 2012-101 Improper character decoding in HZ-GB-2312 charset

MFSA 2012-102 Script entered into Developer Toolbar runs with chrome privileges

MFSA 2012-103 Frames can shadow top.location

MFSA 2012-104 CSS and HTML injection through Style Inspector

MFSA 2012-105 Use-after-free and buffer overflow issues found

MFSA 2012-106 Use-after-free, buffer overflow, and memory corruption issues found using Address Sanitizer

gt 11.0,1 lt 17.0,1

< 10.0.11,1

< 10.0.11,1

< 2.14

< 10.0.11

< 2.14

gt 11.0 lt 17.0

< 10.0.11

gt 1.9.2.* lt 10.0.11

RedHat reports:

Several flaws were found in the way in which Firefox displayed malformed web content. A web page containing specially-crafted content could potentially trick a user into surrendering sensitive information. (CVE-2007-1095, CVE-2007-3844, CVE-2007-3511, CVE-2007-5334)

< 2.0.0.8,1

< 2.0.0.8

< 1.1.5

The Mozilla Project reports:

MFSA 2015-133 NSS and NSPR memory corruption issues

MFSA 2015-132 Mixed content WebSocket policy bypass through workers

MFSA 2015-131 Vulnerabilities found through code inspection

MFSA 2015-130 JavaScript garbage collection crash with Java applet

MFSA 2015-129 Certain escaped characters in host of Location-header are being treated as non-escaped

MFSA 2015-128 Memory corruption in libjar through zip files

MFSA 2015-127 CORS preflight is bypassed when non-standard Content-Type headers are received

MFSA 2015-126 Crash when accessing HTML tables with accessibility tools on OS X

MFSA 2015-125 XSS attack through intents on Firefox for Android

MFSA 2015-124 Android intents can be used on Firefox for Android to open privileged files

MFSA 2015-123 Buffer overflow during image interactions in canvas

MFSA 2015-122 Trailing whitespace in IP address hostnames can bypass same-origin policy

MFSA 2015-121 Disabling scripts in Add-on SDK panels has no effect

MFSA 2015-120 Reading sensitive profile files through local HTML file on Android

MFSA 2015-119 Firefox for Android addressbar can be removed after fullscreen mode

MFSA 2015-118 CSP bypass due to permissive Reader mode whitelist

MFSA 2015-117 Information disclosure through NTLM authentication

MFSA 2015-116 Miscellaneous memory safety hazards (rv:42.0 / rv:38.4)

< 4.10.10

< 4.10.10

ge 3.20 lt 3.20.1

ge 3.19.3 lt 3.19.4

< 3.19.2.1

< 42.0,1

< 42.0,1

< 2.39

< 2.39

< 38.4.0,1

< 38.4.0

< 38.4.0

< 38.4.0

The Mozilla Project reports:

MFSA 2012-20 Miscellaneous memory safety hazards (rv:12.0/ rv:10.0.4)

MFSA 2012-21 Multiple security flaws fixed in FreeType v2.4.9

MFSA 2012-22 use-after-free in IDBKeyRange

MFSA 2012-23 Invalid frees causes heap corruption in gfxImageSurface

MFSA 2012-24 Potential XSS via multibyte content processing errors

MFSA 2012-25 Potential memory corruption during font rendering using cairo-dwrite

MFSA 2012-26 WebGL.drawElements may read illegal video memory due to FindMaxUshortElement error

MFSA 2012-27 Page load short-circuit can lead to XSS

MFSA 2012-28 Ambiguous IPv6 in Origin headers may bypass webserver access restrictions

MFSA 2012-29 Potential XSS through ISO-2022-KR/ISO-2022-CN decoding issues

MFSA 2012-30 Crash with WebGL content using textImage2D

MFSA 2012-31 Off-by-one error in OpenType Sanitizer

MFSA 2012-32 HTTP Redirections and remote content can be read by javascript errors

MFSA 2012-33 Potential site identity spoofing when loading RSS and Atom feeds

gt 11.0,1 lt 12.0,1

< 10.0.4,1

< 10.0.4,1

< 2.9

< 10.0.4

< 2.9

gt 11.0 lt 12.0

< 10.0.4

gt 1.9.2.* lt 10.0.4

The Mozilla Foundation reports:

CVE-2018-5148: Use-after-free in compositor

A use-after-free vulnerability can occur in the compositor during certain graphics operations when a raw pointer is used instead of a reference counted one. This results in a potentially exploitable crash.

< 59.0.2,1

< 56.0.4.36_3

< 2.49.3

< 52.7.3,1

< 52.7.3,2

< 52.7.3

< 52.7.1

< 52.7.0_1

Mozilla Foundation reports:

CVE-2018-5183: Backport critical security fixes in Skia

CVE-2018-5154: Use-after-free with SVG animations and clip paths

CVE-2018-5155: Use-after-free with SVG animations and text paths

CVE-2018-5157: Same-origin bypass of PDF Viewer to view protected PDF files

CVE-2018-5158: Malicious PDF can inject JavaScript into PDF Viewer

CVE-2018-5159: Integer overflow and out-of-bounds write in Skia

CVE-2018-5160: Uninitialized memory use by WebRTC encoder

CVE-2018-5152: WebExtensions information leak through webRequest API

CVE-2018-5153: Out-of-bounds read in mixed content websocket messages

CVE-2018-5163: Replacing cached data in JavaScript Start-up Bytecode Cache

CVE-2018-5164: CSP not applied to all multipart content sent with multipart/x-mixed-replace

CVE-2018-5166: WebExtension host permission bypass through filterReponseData

CVE-2018-5167: Improper linkification of chrome: and javascript: content in web console and JavaScript debugger

CVE-2018-5168: Lightweight themes can be installed without user interaction

CVE-2018-5169: Dragging and dropping link text onto home button can set home page to include chrome pages

CVE-2018-5172: Pasted script from clipboard can run in the Live Bookmarks page or PDF viewer

CVE-2018-5173: File name spoofing of Downloads panel with Unicode characters

CVE-2018-5174: Windows Defender SmartScreen UI runs with less secure behavior for downloaded files in Windows 10 April 2018 Update

CVE-2018-5175: Universal CSP bypass on sites using strict-dynamic in their policies

CVE-2018-5176: JSON Viewer script injection

CVE-2018-5177: Buffer overflow in XSLT during number formatting

CVE-2018-5165: Checkbox for enabling Flash protected mode is inverted in 32-bit Firefox

CVE-2018-5178: Buffer overflow during UTF-8 to Unicode string conversion through legacy extension

CVE-2018-5180: heap-use-after-free in mozilla::WebGLContext::DrawElementsInstanced

CVE-2018-5181: Local file can be displayed in noopener tab through drag and drop of hyperlink

CVE-2018-5182: Local file can be displayed from hyperlink dragged and dropped on addressbar

CVE-2018-5151: Memory safety bugs fixed in Firefox 60

CVE-2018-5150: Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8

< 60.0,1

< 56.1.0_18

< 2.49.4

< 52.8.0,1

< 52.8.0,2

< 52.8.0

The Mozilla Foundation reports of multiple security issues in Firefox, Seamonkey, and Thunderbird. Several of these issues can probably be used to run arbitrary code with the privilege of the user running the program.

• MFSA 2007-08 onUnload + document.write() memory corruption
• MFSA 2007-07 Embedded nulls in location.hostname confuse same-domain checks
• MFSA 2007-06 Mozilla Network Security Services (NSS) SSLv2 buffer overflow
• MFSA 2007-05 XSS and local file access by opening blocked popups
• MFSA 2007-04 Spoofing using custom cursor and CSS3 hotspot
• MFSA 2007-03 Information disclosure through cache collisions
• MFSA 2007-02 Improvements to help protect against Cross-Site Scripting attacks
• MFSA 2007-01 Crashes with evidence of memory corruption (rv:1.8.0.10/1.8.1.2)

< 1.5.0.10,1

gt 2.*,1 lt 2.0.0.2,1

< 1.5.0.10

< 0.3.1

< 1.0.8

ge 1.1 lt 1.1.1

< 1.5.0.10

< 3.0.a2007.04.18

< 1.5.a2007.04.18

gt 0

The Mozilla Project reports:

MFSA 2014-74 Miscellaneous memory safety hazards (rv:33.0 / rv:31.2)

MFSA 2014-75 Buffer overflow during CSS manipulation

MFSA 2014-76 Web Audio memory corruption issues with custom waveforms

MFSA 2014-78 Further uninitialized memory use during GIF

MFSA 2014-79 Use-after-free interacting with text directionality

MFSA 2014-80 Key pinning bypasses

MFSA 2014-81 Inconsistent video sharing within iframe

MFSA 2014-82 Accessing cross-origin objects via the Alarms API

< 33.0,1

< 31.2.0,1

< 33.0,1

< 2.30

< 31.2.0

< 2.30

< 31.2.0

< 31.2.0

The Mozilla Foundation reports:

MFSA 2008-69 XSS vulnerabilities in SessionStore

MFSA 2008-68 XSS and JavaScript privilege escalation

MFSA 2008-67 Escaped null characters ignored by CSS parser

MFSA 2008-66 Errors parsing URLs with leading whitespace and control characters

MFSA 2008-65 Cross-domain data theft via script redirect error message

MFSA 2008-64 XMLHttpRequest 302 response disclosure

MFSA 2008-62 Additional XSS attack vectors in feed preview

MFSA 2008-61 Information stealing via loadBindingDocument

MFSA 2008-60 Crashes with evidence of memory corruption (rv:1.9.0.5/1.8.1.19)

< 2.0.0.20,1

gt 3.*,1 lt 3.0.5,1

< 2.0.0.20

< 1.1.14

< 2.0.0.18

The Mozilla Project reports:

MFSA 2012-90 Fixes for Location object issues

gt 11.0,1 lt 16.0.2,1

< 10.0.10,1

< 10.0.10,1

< 2.13.2

< 10.0.10

< 2.13.2

gt 11.0 lt 16.0.2

< 10.0.10

gt 1.9.2.* lt 10.0.10

Mozilla Foundation reports:

CVE-2017-7828: Use-after-free of PressShell while restyling layout

CVE-2017-7830: Cross-origin URL information leak through Resource Timing API

CVE-2017-7831: Information disclosure of exposed properties on JavaScript proxy objects

CVE-2017-7832: Domain spoofing through use of dotless 'i' character followed by accent markers

CVE-2017-7833: Domain spoofing with Arabic and Indic vowel marker characters

CVE-2017-7834: data: URLs opened in new tabs bypass CSP protections

CVE-2017-7835: Mixed content blocking incorrectly applies with redirects

CVE-2017-7836: Pingsender dynamically loads libcurl on Linux and OS X

CVE-2017-7837: SVG loaded as can use meta tags to set cookies

CVE-2017-7838: Failure of individual decoding of labels in international domain names triggers punycode display of entire IDN

CVE-2017-7839: Control characters before javascript: URLs defeats self-XSS prevention mechanism

CVE-2017-7840: Exported bookmarks do not strip script elements from user-supplied tags

CVE-2017-7842: Referrer Policy is not always respected for elements

CVE-2017-7827: Memory safety bugs fixed in Firefox 57

CVE-2017-7826: Memory safety bugs fixed in Firefox 57 and Firefox ESR 52.5

< 56.0.2_10,1

< 2.49.2

< 52.5.0,1

< 52.5.0,2

< 52.5.0

Google Chrome Releases reports:

[583607] High CVE-2016-1624: Buffer overflow in Brotli. Credit to lukezli.

Mozilla Foundation reports:

Security researcher Luke Li reported a pointer underflow bug in the Brotli library's decompression that leads to a buffer overflow. This results in a potentially exploitable crash when triggered.

ge 0.3.0 lt 0.3.0_1

< 0.2.0_2

< 0.3.0_3

< 48.0.2564.109

< 45.0,1

< 2.42

< 38.7.0,1

< 38.7.0

Mozilla Foundation reports:

MFSA 2009-06: Directives to not cache pages ignored

MFSA 2009-05: XMLHttpRequest allows reading HTTPOnly cookies

MFSA 2009-04: Chrome privilege escalation via local .desktop files

MFSA 2009-03: Local file stealing with SessionStore

MFSA 2009-02: XSS using a chrome XBL method and window.eval

MFSA 2009-01: Crashes with evidence of memory corruption (rv:1.9.0.6)

< 2.0.0.20_3,1

gt 3.*,1 lt 3.0.6,1

< 3.0.6

gt 0

< 1.1.15

< 2.0.0.21

The Mozilla Project reports:

MFSA 2013-93 Miscellaneous memory safety hazards (rv:25.0 / rv:24.1 / rv:17.0.10)

MFSA 2013-94 Spoofing addressbar though SELECT element

MFSA 2013-95 Access violation with XSLT and uninitialized data

MFSA 2013-96 Improperly initialized memory and overflows in some JavaScript functions

MFSA 2013-97 Writing to cycle collected object during image decoding

MFSA 2013-98 Use-after-free when updating offline cache

MFSA 2013-99 Security bypass of PDF.js checks using iframes

MFSA 2013-100 Miscellaneous use-after-free issues found through ASAN fuzzing

MFSA 2013-101 Memory corruption in workers

MFSA 2013-102 Use-after-free in HTML document templates

< 24.1.0,1

< 25.0,1

< 2.22

< 24.1.0

< 2.22

< 24.1.0

Mozilla Foundation reports:

CVE-2019-9811: Sandbox escape via installation of malicious language pack

CVE-2019-11711: Script injection within domain through inner window reuse

CVE-2019-11712: Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects

CVE-2019-11713: Use-after-free with HTTP/2 cached stream

CVE-2019-11714: NeckoChild can trigger crash when accessed off of main thread

CVE-2019-11729: Empty or malformed p256-ECDH public keys may trigger a segmentation fault

CVE-2019-11715: HTML parsing error can contribute to content XSS

CVE-2019-11716: globalThis not enumerable until accessed

CVE-2019-11717: Caret character improperly escaped in origins

CVE-2019-11718: Activity Stream writes unsanitized content to innerHTML

CVE-2019-11719: Out-of-bounds read when importing curve25519 private key

CVE-2019-11720: Character encoding XSS vulnerability

CVE-2019-11721: Domain spoofing through unicode latin 'kra' character

CVE-2019-11730: Same-origin policy treats all files in a directory as having the same-origin

CVE-2019-11723: Cookie leakage during add-on fetching across private browsing boundaries

CVE-2019-11724: Retired site input.mozilla.org has remote troubleshooting permissions

CVE-2019-11725: Websocket resources bypass safebrowsing protections

CVE-2019-11727: PKCS#1 v1.5 signatures can be used for TLS 1.3

CVE-2019-11728: Port scanning through Alt-Svc header

CVE-2019-11710: Memory safety bugs fixed in Firefox 68

CVE-2019-11709: Memory safety bugs fixed in Firefox 68 and Firefox ESR 60.8

< 68.0_4,1

< 56.2.12

< 2.53.0

< 60.8.0,1

< 60.8.0,2

< 60.8.0

Mozilla Foundation reports:

MFSA 2016-16 Miscellaneous memory safety hazards (rv:45.0 / rv:38.7)

MFSA 2016-17 Local file overwriting and potential privilege escalation through CSP reports

MFSA 2016-18 CSP reports fail to strip location information for embedded iframe pages

MFSA 2016-19 Linux video memory DOS with Intel drivers

MFSA 2016-20 Memory leak in libstagefright when deleting an array during MP4 processing

MFSA 2016-21 Displayed page address can be overridden

MFSA 2016-22 Service Worker Manager out-of-bounds read in Service Worker Manager

MFSA 2016-23 Use-after-free in HTML5 string parser

MFSA 2016-24 Use-after-free in SetBody

MFSA 2016-25 Use-after-free when using multiple WebRTC data channels

MFSA 2016-26 Memory corruption when modifying a file being read by FileReader

MFSA 2016-27 Use-after-free during XML transformations

MFSA 2016-28 Addressbar spoofing though history navigation and Location protocol property

MFSA 2016-29 Same-origin policy violation using perfomance.getEntries and history navigation with session restore

MFSA 2016-31 Memory corruption with malicious NPAPI plugin

MFSA 2016-32 WebRTC and LibVPX vulnerabilities found through code inspection

MFSA 2016-33 Use-after-free in GetStaticInstance in WebRTC

MFSA 2016-34 Out-of-bounds read in HTML parser following a failed allocation

< 45.0,1

< 2.42

< 38.7.0,1

< 38.7.0

The Mozilla Project reports:

MFSA 2013-01 Miscellaneous memory safety hazards (rv:18.0/ rv:10.0.12 / rv:17.0.2)

MFSA 2013-02 Use-after-free and buffer overflow issues found using Address Sanitizer

MFSA 2013-03 Buffer Overflow in Canvas

MFSA 2013-04 URL spoofing in addressbar during page loads

MFSA 2013-05 Use-after-free when displaying table with many columns and column groups

MFSA 2013-06 Touch events are shared across iframes

MFSA 2013-07 Crash due to handling of SSL on threads

MFSA 2013-08 AutoWrapperChanger fails to keep objects alive during garbage collection

MFSA 2013-09 Compartment mismatch with quickstubs returned values

MFSA 2013-10 Event manipulation in plugin handler to bypass same-origin policy

MFSA 2013-11 Address space layout leaked in XBL objects

MFSA 2013-12 Buffer overflow in Javascript string concatenation

MFSA 2013-13 Memory corruption in XBL with XML bindings containing SVG

MFSA 2013-14 Chrome Object Wrapper (COW) bypass through changing prototype

MFSA 2013-15 Privilege escalation through plugin objects

MFSA 2013-16 Use-after-free in serializeToStream

MFSA 2013-17 Use-after-free in ListenerManager

MFSA 2013-18 Use-after-free in Vibrate

MFSA 2013-19 Use-after-free in Javascript Proxy objects

MFSA 2013-20 Mis-issued TURKTRUST certificates

gt 11.0,1 lt 17.0.2,1

< 10.0.12,1

< 17.0.2,1

< 2.15

< 17.0.2

< 2.15

gt 11.0 lt 17.0.2

< 10.0.12

gt 1.9.2.* lt 10.0.12

< 3.14.1

Mozilla Project reports:

MFSA 2009-38: Data corruption with SOCKS5 reply containing DNS name longer than 15 characters

MFSA 2009-42: Compromise of SSL-protected communication

MFSA 2009-43: Heap overflow in certificate regexp parsing

MFSA 2009-44: Location bar and SSL indicator spoofing via window.open() on invalid URL

MFSA 2009-45: Crashes with evidence of memory corruption (rv:1.9.1.2/1.9.0.13)

MFSA 2009-46: Chrome privilege escalation due to incorrectly cached wrapper

< 3.*,1

gt 3.*,1 lt 3.0.13,1

gt 3.5.*,1 lt 3.5.2,1

< 3.5.2

< 1.1.18

gt 0

< 2.0.0.23

The Mozilla Project reports:

Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team used the Address Sanitizer tool to discover two buffer overflow issues in the Libvpx library used for WebM video when decoding a malformed WebM video file. These buffer overflows result in potentially exploitable crashes.

< 1.4.0.488

< 40.0,1

< 40.0,1

The Mozilla Project reports:

MFSA 2014-01 Miscellaneous memory safety hazards (rv:27.0 / rv:24.3)

MFSA 2014-02 Clone protected content with XBL scopes

MFSA 2014-03 UI selection timeout missing on download prompts

MFSA 2014-04 Incorrect use of discarded images by RasterImage

MFSA 2014-05 Information disclosure with *FromPoint on iframes

MFSA 2014-06 Profile path leaks to Android system log

MFSA 2014-07 XSLT stylesheets treated as styles in Content Security Policy

MFSA 2014-08 Use-after-free with imgRequestProxy and image proccessing

MFSA 2014-09 Cross-origin information leak through web workers

MFSA 2014-10 Firefox default start page UI content invokable by script

MFSA 2014-11 Crash when using web workers with asm.js

MFSA 2014-12 NSS ticket handling issues

MFSA 2014-13 Inconsistent JavaScript handling of access to Window objects

gt 25.0,1 lt 27.0,1

< 24.3.0,1

< 27.0,1

< 2.24

< 24.3.0

< 2.24

< 24.3.0

Mozilla Foundation reports:

CVE-2018-18356: Use-after-free in Skia

CVE-2019-5785: Integer overflow in Skia

CVE-2018-18511: Cross-origin theft of images with ImageBitmapRenderingContext

< 65.0.1,1

< 60.5.1,1

< 60.5.1

Mozilla Foundation reports:

CVE-2019-9790: Use-after-free when removing in-use DOM elements

CVE-2019-9791: Type inference is incorrect for constructors entered through on-stack replacement with IonMonkey

CVE-2019-9792: IonMonkey leaks JS_OPTIMIZED_OUT magic value to script

CVE-2019-9793: Improper bounds checks when Spectre mitigations are disabled

CVE-2019-9794: Command line arguments not discarded during execution

CVE-2019-9795: Type-confusion in IonMonkey JIT compiler

CVE-2019-9796: Use-after-free with SMIL animation controller

CVE-2019-9797: Cross-origin theft of images with createImageBitmap

CVE-2019-9798: Library is loaded from world writable APITRACE_LIB location

CVE-2019-9799: Information disclosure via IPC channel messages

CVE-2019-9801: Windows programs that are not 'URL Handlers' are exposed to web content

CVE-2019-9802: Chrome process information leak

CVE-2019-9803: Upgrade-Insecure-Requests incorrectly enforced for same-origin navigation

CVE-2019-9804: Code execution through 'Copy as cURL' in Firefox Developer Tools on macOS

CVE-2019-9805: Potential use of uninitialized memory in Prio

CVE-2019-9806: Denial of service through successive FTP authorization prompts

CVE-2019-9807: Text sent through FTP connection can be incorporated into alert messages

CVE-2019-9809: Denial of service through FTP modal alert error messages

CVE-2019-9808: WebRTC permissions can display incorrect origin with data: and blob: URLs

CVE-2019-9789: Memory safety bugs fixed in Firefox 66

CVE-2019-9788: Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6

< 66.0_3,1

< 56.2.9

< 2.53.0

< 60.6.0,1

< 60.6.0,2

< 60.6.0

The Mozilla Project reports:

Using the Address Sanitizer tool, security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team found an out-of-bounds write when buffering WebM format video containing frames with invalid tile sizes. This can lead to a potentially exploitable crash during WebM video playback.

< 1.4.0

< 33.0,1

< 31.1.2,1

< 33.0,1

< 2.30

< 31.1.2

< 2.30

< 31.1.2

< 31.1.2

The Mozilla Project reports:

MFSA 2014-66 IFRAME sandbox same-origin access through redirect

MFSA 2014-65 Certificate parsing broken by non-standard character encoding

MFSA 2014-64 Crash in Skia library when scaling high quality images

MFSA 2014-63 Use-after-free while when manipulating certificates in the trusted cache

MFSA 2014-62 Exploitable WebGL crash with Cesium JavaScript library

MFSA 2014-61 Use-after-free with FireOnStateChange event

MFSA 2014-60 Toolbar dialog customization event spoofing

MFSA 2014-59 Use-after-free in DirectWrite font handling

MFSA 2014-58 Use-after-free in Web Audio due to incorrect control message ordering

MFSA 2014-57 Buffer overflow during Web Audio buffering for playback

MFSA 2014-56 Miscellaneous memory safety hazards (rv:31.0 / rv:24.7)

< 31.0,1

< 24.7.0,1

< 31.0,1

< 24.7.0

< 24.7.0

< 3.16.1_2

Mozilla Foundation reports:

CVE-2018-12391: HTTP Live Stream audio data is accessible cross-origin

CVE-2018-12392: Crash with nested event loops

CVE-2018-12393: Integer overflow during Unicode conversion while loading JavaScript

CVE-2018-12395: WebExtension bypass of domain restrictions through header rewriting

CVE-2018-12396: WebExtension content scripts can execute in disallowed contexts

CVE-2018-12397:

CVE-2018-12398: CSP bypass through stylesheet injection in resource URIs

CVE-2018-12399: Spoofing of protocol registration notification bar

CVE-2018-12400: Favicons are cached in private browsing mode on Firefox for Android

CVE-2018-12401: DOS attack through special resource URI parsing

CVE-2018-12402: SameSite cookies leak when pages are explicitly saved

CVE-2018-12403: Mixed content warning is not displayed when HTTPS page loads a favicon over HTTP

CVE-2018-12388: Memory safety bugs fixed in Firefox 63

CVE-2018-12390: Memory safety bugs fixed in Firefox 63 and Firefox ESR 60.3

< 63.0_1,1

< 56.2.5

< 2.53.0

< 60.3.0,1

< 60.3.0,2

< 60.3.0

The Mozilla Foundation reports:

A heap buffer overflow can occur in the Skia library when rasterizing paths using a maliciously crafted SVG file with anti-aliasing turned off. This results in a potentially exploitable crash.

< 60.0.2,1

< 56.2.0.13_5

< 52.8.1,1

< 2.49.4

The Mozilla Project reports:

MFSA 2015-45 Memory corruption during failed plugin initialization

< 37.0.2,1

< 37.0.2,1

Tom Ferris reports:

A buffer overflow vulnerability exists within Firefox version 1.0.6 and all other prior versions which allows for an attacker to remotely execute arbitrary code on an affected host.

The problem seems to be when a hostname which has all dashes causes the NormalizeIDN call in nsStandardURL::BuildNormalizedSpec to return true, but is sets encHost to an empty string. Meaning, Firefox appends 0 to approxLen and then appends the long string of dashes to the buffer instead.

Note: It is possible to disable IDN support as a workaround to protect against this buffer overflow. How to do this is described on the What Firefox and Mozilla users should know about the IDN buffer overflow security issue web page.

< 1.0.6_5,1

< 1.0.7

< 1.7.11_1,2

ge 1.8.*,2 lt 1.8.b1_5,2

< 1.7.12

gt 0

ge 0

ge 0

ge 0

Mozilla Foundation reports:

CVE-2018-12386: Type confusion in JavaScript

A vulnerability in register allocation in JavaScript can lead to type confusion, allowing for an arbitrary read and write. This leads to remote code execution inside the sandboxed content process when triggered.

CVE-2018-12387:

A vulnerability where the JavaScript JIT compiler inlines Array.prototype.push with multiple arguments that results in the stack pointer being off by 8 bytes after a bailout. This leaks a memory address to the calling function which can be used as part of an exploit inside the sandboxed content process.

< 62.0.3,1

< 56.2.4

< 2.53.0

< 60.2.2,1

< 60.2.2,2

< 60.2.2

The Mozilla Project reports:

MFSA 2014-48 Miscellaneous memory safety hazards (rv:30.0 / rv:24.6)

MFSA 2014-49 Use-after-free and out of bounds issues found using Address Sanitizer

MFSA 2014-51 Use-after-free in Event Listener Manager

MFSA 2014-52 Use-after-free with SMIL Animation Controller

MFSA 2014-53 Buffer overflow in Web Audio Speex resampler

MFSA 2014-54 Buffer overflow in Gamepad API

MFSA 2014-55 Out of bounds write in NSPR

< 30.0,1

< 24.6.0,1

< 2.26.1

< 30.0,1

< 2.26.1

< 24.6.0

< 4.10.6

< 24.6.0

The Mozilla Foundation reports of multiple security issues in Firefox, Seamonkey, and Thunderbird. Several of these issues can probably be used to run arbitrary code with the privilege of the user running the program.

• Web forgery overwrite with div overlay
• URL token stealing via stylesheet redirect
• Mishandling of locally-saved plain text files
• File action dialog tampering
• Possible information disclosure in BMP decoder
• Web browsing history and forward navigation stealing
• Directory traversal via chrome: URI
• Stored password corruption
• Privilege escalation, XSS, Remote Code Execution
• Multiple file input focus stealing vulnerabilities
• Crashes with evidence of memory corruption (rv:1.8.1.12)

< 2.0.0.12,1

< 2.0.0.12

< 1.1.8

< 1.0.9

gt 0

Mozilla Foundation reports:

The Firefox 2.0.0.10 update contains fixes for three bugs that improve the stability of the product. These crashes showed some evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code.

< 2.0.0.10,1

< 2.0.0.10

< 1.1.7

< 1.0.2

< 3.0.a2007.12.12

< 2.0.a2007.12.12

Mozilla Foundation reports:

Jann Horn of Google Project Zero Security reported that speculative execution performed by modern CPUs could leak information through a timing side-channel attack. Microsoft Vulnerability Research extended this attack to browser JavaScript engines and demonstrated that code on a malicious web page could read data from other web sites (violating the same-origin policy) or private data from the browser itself.

Since this new class of attacks involves measuring precise time intervals, as a parti al, short-term, mitigation we are disabling or reducing the precision of several time sources in Firefox. The precision of performance.now() has been reduced from 5μs to 20μs, and the SharedArrayBuffer feature has been disabled because it can be used to construct a high-resolution timer.

< 57.0.4,1

< 56.0.2

A Mozilla Foundation Security Advisory reports:

Additional checks were added to make sure Javascript eval and Script objects are run with the privileges of the context that created them, not the potentially elevated privilege of the context calling them in order to protect against an additional variant of MFSA 2005-41.

The Mozilla Foundation Security Advisory MFSA 2005-41 reports:

moz_bug_r_a4 reported several exploits giving an attacker the ability to install malicious code or steal data, requiring only that the user do commonplace actions like click on a link or open the context menu.

< 1.0.4,1

< 1.0.4

< 1.7.8,2

ge 1.8.*,2

< 1.7.8

ge 1.8.*

ge 0

ge 0

ge 0

Mozilla Foundation reports:

CVE-2018-12359: Buffer overflow using computed size of canvas element

CVE-2018-12360: Use-after-free when using focus()

CVE-2018-12361: Integer overflow in SwizzleData

CVE-2018-12358: Same-origin bypass using service worker and redirection

CVE-2018-12362: Integer overflow in SSSE3 scaler

CVE-2018-5156: Media recorder segmentation fault when track type is changed during capture

CVE-2018-12363: Use-after-free when appending DOM nodes

CVE-2018-12364: CSRF attacks through 307 redirects and NPAPI plugins

CVE-2018-12365: Compromised IPC child process can list local filenames

CVE-2018-12371: Integer overflow in Skia library during edge builder allocation

CVE-2018-12366: Invalid data handling during QCMS transformations

CVE-2018-12367: Timing attack mitigation of PerformanceNavigationTiming

CVE-2018-12368: No warning when opening executable SettingContent-ms files

CVE-2018-12369: WebExtension security permission checks bypassed by embedded experiments

CVE-2018-12370: SameSite cookie protections bypassed when exiting Reader View

CVE-2018-5186: Memory safety bugs fixed in Firefox 61

CVE-2018-5187: Memory safety bugs fixed in Firefox 60 and Firefox ESR 60.1

CVE-2018-5188: Memory safety bugs fixed in Firefox 60, Firefox ESR 60.1, and Firefox ESR 52.9

< 61.0_1,1

< 56.2.1.19_2

< 2.49.4

ge 60.0,1 lt 60.1.0_1,1

< 52.9.0_1,1

< 52.9.0,2

< 52.9.0

The Mozilla Foundation reports:

An integer overflow in createImageBitmap() was reported through the Pwn2Own contest. The fix for this vulnerability disables the experimental extensions to the createImageBitmap API. This function runs in the content sandbox, requiring a second vulnerability to compromise a user's computer.

< 52.0.1,1

Mozilla Foundation reports:

CVE-2018-18500: Use-after-free parsing HTML5 stream

CVE-2018-18503: Memory corruption with Audio Buffer

CVE-2018-18504: Memory corruption and out-of-bounds read of texture client buffer

CVE-2018-18505: Privilege escalation through IPC channel messages

CVE-2018-18506: Proxy Auto-Configuration file can define localhost access to be proxied

CVE-2018-18502: Memory safety bugs fixed in Firefox 65

CVE-2018-18501: Memory safety bugs fixed in Firefox 65 and Firefox ESR 60.5

< 65.0_1,1

< 56.2.7

< 2.53.0

< 60.5.0_1,1

< 60.5.0,2

< 60.5.0

A Mozilla Foundation Security Advisory reports of multiple issues. Several of which can be used to run arbitrary code with the privilege of the user running the program.

• MFSA 2006-29 Spoofing with translucent windows
• MFSA 2006-28 Security check of js_ValueToFunctionObject() can be circumvented
• MFSA 2006-26 Mail Multiple Information Disclosure
• MFSA 2006-25 Privilege escalation through Print Preview
• MFSA 2006-24 Privilege escalation using crypto.generateCRMFRequest
• MFSA 2006-23 File stealing by changing input type
• MFSA 2006-22 CSS Letter-Spacing Heap Overflow Vulnerability
• MFSA 2006-20 Crashes with evidence of memory corruption (rv:1.8.0.2)
• MFSA 2006-19 Cross-site scripting using .valueOf.call()
• MFSA 2006-18 Mozilla Firefox Tag Order Vulnerability
• MFSA 2006-17 cross-site scripting through window.controllers
• MFSA 2006-16 Accessing XBL compilation scope via valueOf.call()
• MFSA 2006-15 Privilege escalation using a JavaScript function's cloned parent
• MFSA 2006-14 Privilege escalation via XBL.method.eval
• MFSA 2006-13 Downloading executables with "Save Image As..."
• MFSA 2006-12 Secure-site spoof (requires security warning dialog)
• MFSA 2006-11 Crashes with evidence of memory corruption (rv:1.8)
• MFSA 2006-10 JavaScript garbage-collection hazard audit
• MFSA 2006-09 Cross-site JavaScript injection using event handlers

< 1.0.8,1

gt 1.5.*,1 lt 1.5.0.2,1

< 1.5.0.2

< 1.7.13,2

ge 1.8.*,2

< 1.7.13

gt 0

< 1.0.1

< 1.5.0.2

A Mozilla Foundation Security Advisory reports of multiple issues:

Heap overrun in XBM image processing

jackerror reports that an improperly terminated XBM image ending with space characters instead of the expected end tag can lead to a heap buffer overrun. This appears to be exploitable to install or run malicious code on the user's machine.

Thunderbird does not support the XBM format and is not affected by this flaw.

Crash on "zero-width non-joiner" sequence

Mats Palmgren discovered that a reported crash on Unicode sequences with "zero-width non-joiner" characters was due to stack corruption that may be exploitable.

XMLHttpRequest header spoofing

It was possible to add illegal and malformed headers to an XMLHttpRequest. This could have been used to exploit server or proxy flaws from the user's machine, or to fool a server or proxy into thinking a single request was a stream of separate requests. The severity of this vulnerability depends on the value of servers which might be vulnerable to HTTP request smuggling and similar attacks, or which share an IP address (virtual hosting) with the attacker's page.

For users connecting to the web through a proxy this flaw could be used to bypass the same-origin restriction on XMLHttpRequests by fooling the proxy into handling a single request as multiple pipe-lined requests directed at arbitrary hosts. This could be used, for example, to read files on intranet servers behind a firewall.

Object spoofing using XBL

moz_bug_r_a4 demonstrated a DOM object spoofing bug similar to MFSA 2005-55 using an XBL control that an internal interface. The severity depends on the version of Firefox: investigation so far indicates Firefox 1.0.x releases don't expose any vulnerable functionality to interfaces spoofed in this way, but that early Deer Park Alpha 1 versions did.

XBL was changed to no longer allow unprivileged controls from web content to implement XPCOM interfaces.

JavaScript integer overflow

Georgi Guninski reported an integer overflow in the JavaScript engine. We presume this could be exploited to run arbitrary code under favorable conditions.

Privilege escalation using about: scheme

heatsync and shutdown report two different ways to bypass the restriction on loading high privileged "chrome" pages from an unprivileged "about:" page. By itself this is harmless--once the "about" page's privilege is raised the original page no longer has access--but should this be combined with a same-origin violation this could lead to arbitrary code execution.

Chrome window spoofing

moz_bug_r_a4 demonstrates a way to get a blank "chrome" canvas by opening a window from a reference to a closed window. The resulting window is not privileged, but the normal browser UI is missing and can be used to construct a spoof page without any of the safety features of the browser chrome designed to alert users to phishing sites, such as the address bar and the status bar.

< 1.0.7,1

< 1.0.7

< 1.7.12,2

ge 1.8.*,2

< 1.7.12

gt 0

ge 0

ge 0

ge 0

A Secunia Advisory reports:

Peter Zelezny has discovered a vulnerability in Firefox, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to the shell script used to launch Firefox parsing shell commands that are enclosed within backticks in the URL provided via the command line. This can e.g. be exploited to execute arbitrary shell commands by tricking a user into following a malicious link in an external application which uses Firefox as the default browser.

< 1.0.7,1

< 1.0.7

< 1.7.12,2

ge 1.8.*,2

< 1.7.12

gt 0

ge 0

ge 0

ge 0

The Mozilla Project reports:

MFSA 2013-21 Miscellaneous memory safety hazards (rv:19.0 / rv:17.0.3)

MFSA 2013-22 Out-of-bounds read in image rendering

MFSA 2013-23 Wrapped WebIDL objects can be wrapped again

MFSA 2013-24 Web content bypass of COW and SOW security wrappers

MFSA 2013-25 Privacy leak in JavaScript Workers

MFSA 2013-26 Use-after-free in nsImageLoadingContent

MFSA 2013-27 Phishing on HTTPS connection through malicious proxy

MFSA 2013-28 Use-after-free, out of bounds read, and buffer overflow issues found using Address Sanitizer

gt 18.0,1 lt 19.0,1

< 17.0.3,1

< 17.0.3,1

< 2.16

< 17.0.3

< 2.16

gt 11.0 lt 17.0.3

< 10.0.12

gt 1.9.2.* lt 10.0.12

Mozilla Foundation reports:

Please reference CVE/URL list for details

< 48.0,1

< 2.45

< 45.3.0,1

< 45.3.0,2

< 45.3.0

The Mozilla Project reports:

MFSA 2013-63 Miscellaneous memory safety hazards (rv:23.0 / rv:17.0.8)

MFSA 2013-64 Use after free mutating DOM during SetBody

MFSA 2013-65 Buffer underflow when generating CRMF requests

MFSA 2013-66 Buffer overflow in Mozilla Maintenance Service and Mozilla Updater

MFSA 2013-67 Crash during WAV audio file decoding

MFSA 2013-68 Document URI misrepresentation and masquerading

MFSA 2013-69 CRMF requests allow for code execution and XSS attacks

MFSA 2013-70 Bypass of XrayWrappers using XBL Scopes

MFSA 2013-71 Further Privilege escalation through Mozilla Updater

MFSA 2013-72 Wrong principal used for validating URI for some Javascript components

MFSA 2013-73 Same-origin bypass with web workers and XMLHttpRequest

MFSA 2013-74 Firefox full and stub installer DLL hijacking

MFSA 2013-75 Local Java applets may read contents of local file system

gt 18.0,1 lt 23.0,1

< 17.0.8,1

< 17.0.8,1

< 2.20

< 17.0.8

< 2.20

gt 11.0 lt 17.0.8

Mozilla Foundation reports:

CVE-2018-12377: Use-after-free in refresh driver timers

CVE-2018-12378: Use-after-free in IndexedDB

CVE-2018-12379: Out-of-bounds write with malicious MAR file

CVE-2017-16541: Proxy bypass using automount and autofs

CVE-2018-12381: Dragging and dropping Outlook email message results in page navigation

CVE-2018-12382: Addressbar spoofing with javascript URI on Firefox for Android

CVE-2018-12383: Setting a master password post-Firefox 58 does not delete unencrypted previously stored passwords

CVE-2018-12375: Memory safety bugs fixed in Firefox 62

CVE-2018-12376: Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2

< 62.0_1,1

< 56.2.3

< 2.49.5

< 60.2.0_1,1

< 60.2.0,2

< 60.2

A Mozilla Foundation Security Advisory states:

An (sic) GIF processing error when parsing the obsolete Netscape extension 2 can lead to an exploitable heap overrun, allowing an attacker to run arbitrary code on the user's machine.

< 1.0.2,1

< 1.0.2

< 1.7.6,2

ge 1.8.*,2

< 1.7.6

ge 1.8.*

ge 0

ge 0

ge 0

The Mozilla Project reports:

MFSA 2014-34 Miscellaneous memory safety hazards (rv:29.0 / rv:24.5)

MFSA 2014-35 Privilege escalation through Mozilla Maintenance Service Installer

MFSA 2014-36 Web Audio memory corruption issues

MFSA 2014-37 Out of bounds read while decoding JPG images

MFSA 2014-38 Buffer overflow when using non-XBL object as XBL

MFSA 2014-39 Use-after-free in the Text Track Manager for HTML video

MFSA 2014-41 Out-of-bounds write in Cairo

MFSA 2014-42 Privilege escalation through Web Notification API

MFSA 2014-43 Cross-site scripting (XSS) using history navigations

MFSA 2014-44 Use-after-free in imgLoader while resizing images

MFSA 2014-45 Incorrect IDNA domain name matching for wildcard certificates

MFSA 2014-46 Use-after-free in nsHostResolve

MFSA 2014-47 Debugger can bypass XrayWrappers with JavaScript

< 29.0,1

< 24.5.0,1

< 29.0,1

< 2.26

< 24.5.0

< 2.26

< 24.5.0

Mozilla Foundation reports:

CVE-2019-11707: Type confusion in Array.pop

A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw.

< 67.0.3,1

< 56.2.11

< 60.7.1,1

A Mozilla Foundation Security Advisory reports:

Some security checks intended to prevent script injection were incorrect and could be bypassed by wrapping a javascript: url in the view-source: pseudo-protocol. Michael Krax demonstrated that a variant of his favicon exploit could still execute arbitrary code, and the same technique could also be used to perform cross-site scripting.

Georgi Guninski demonstrated the same flaw wrapping javascript: urls with the jar: pseudo-protocol.

L. David Baron discovered a nested variant that defeated checks in the script security manager.

Workaround: Disable Javascript

< 1.0.4,1

< 1.0.4

< 1.7.8,2

ge 1.8.*,2

< 1.7.8

ge 1.8.*

ge 0

ge 0

ge 0

The Mozilla Project reports:

MFSA 2013-29 Use-after-free in HTML Editor

gt 18.0,1 lt 19.0.2,1

< 17.0.3,1

< 17.0.4,1

< 2.16.1

< 17.0.4

< 2.16.1

gt 11.0 lt 17.0.4

< 10.0.12

The Mozilla Project reports:

MFSA 2015-44 Certificate verification bypass through the HTTP/2 Alt-Svc header

MFSA 2015-43 Loading privileged content through Reader mode

< 37.0.1,1

< 37.0.1,1

Firefox Developers report:

Security researcher Abdulrahman Alqabandi reported that the fetch() API did not correctly implement the Cross-Origin Resource Sharing (CORS) specification, allowing a malicious page to access private data from other origins. Mozilla developer Ben Kelly independently reported the same issue.

< 41.0.2,1

< 41.0.2,1

A Mozilla Foundation Security Advisory states:

If a user bookmarked a malicious page as a Firefox sidebar panel that page could execute arbitrary programs by opening a privileged page and injecting javascript into it.

< 1.0.2,1

< 1.0.2

Mozilla Foundation reports:

Please reference CVE/URL list for details

< 54.0,1

< 2.49.1

< 52.2.0,1

< 52.2.0,2

< 52.2.0

The Mozilla Project reports:

MFSA-2015-01 Miscellaneous memory safety hazards (rv:35.0 / rv:31.4)

MFSA-2015-02 Uninitialized memory use during bitmap rendering

MFSA-2015-03 sendBeacon requests lack an Origin header

MFSA-2015-04 Cookie injection through Proxy Authenticate responses

MFSA-2015-05 Read of uninitialized memory in Web Audio

MFSA-2015-06 Read-after-free in WebRTC

MFSA-2015-07 Gecko Media Plugin sandbox escape

MFSA-2015-08 Delegated OCSP responder certificates failure with id-pkix-ocsp-nocheck extension

MFSA-2015-09 XrayWrapper bypass through DOM objects

< 35.0,1

< 31.4.0,1

< 35.0,1

< 2.32

< 31.4.0

< 2.32

< 31.4.0

< 31.4.0

Mozilla Foundation reports:

Please reference CVE/URL list for details

< 55.0,1

< 2.49.1

< 52.3.0,1

< 52.3.0,2

< 52.3.0

A Mozilla Foundation Security Advisory reports:

Sites can use the _search target to open links in the Firefox sidebar. Two missing security checks allow malicious scripts to first open a privileged page (such as about:config) and then inject script using a javascript: url. This could be used to install malicious code or steal data without user interaction.

Workaround: Disable Javascript

< 1.0.3,1

< 1.0.3

Mozilla Foundation reports:

MFSA 2016-39 Miscellaneous memory safety hazards (rv:46.0 / rv:45.1 / rv:38.8)

MFSA 2016-42 Use-after-free and buffer overflow in Service Workers

MFSA 2016-44 Buffer overflow in libstagefright with CENC offsets

MFSA 2016-45 CSP not applied to pages sent with multipart/x-mixed-replace

MFSA 2016-46 Elevation of privilege with chrome.tabs.update API in web extensions

MFSA 2016-47 Write to invalid HashMap entry through JavaScript.watch()

MFSA 2016-48 Firefox Health Reports could accept events from untrusted domains

< 46.0,1

< 2.43

ge 39.0,1 lt 45.1.0,1

< 38.8.0,1

ge 39.0 lt 45.1.0

< 38.8.0

A Mozilla Foundation Security Advisory reports:

A bug in javascript's regular expression string replacement when using an anonymous function as the replacement argument allows a malicious script to capture blocks of memory allocated to the browser. A web site could capture data and transmit it to a server without user interaction or knowledge.

Workaround: Disable Javascript

< 1.0.3,1

< 1.0.3

< 1.7.7,2

ge 1.8.*,2

< 1.7.7

ge 1.8.*

ge 0

ge 0

ge 0

Mozilla Foundation reports:

CVE-2018-12407: Buffer overflow with ANGLE library when using VertexBuffer11 module

CVE-2018-17466: Buffer overflow and out-of-bounds read in ANGLE library with TextureStorage11

CVE-2018-18492: Use-after-free with select element

CVE-2018-18493: Buffer overflow in accelerated 2D canvas with Skia

CVE-2018-18494: Same-origin policy violation using location attribute and performance.getEntries to steal cross-origin URLs

CVE-2018-18495: WebExtension content scripts can be loaded in about: pages

CVE-2018-18496: Embedded feed preview page can be abused for clickjacking

CVE-2018-18497: WebExtensions can load arbitrary URLs through pipe separators

CVE-2018-18498: Integer overflow when calculating buffer sizes for images

CVE-2018-12406: Memory safety bugs fixed in Firefox 64

CVE-2018-12405: Memory safety bugs fixed in Firefox 64 and Firefox ESR 60.4

< 64.0_3,1

< 56.2.6

< 2.53.0

< 60.4.0,1

< 60.4.0,2

< 60.4.0

The Mozilla Foundation reports:

A use-after-free vulnerability in SVG Animation has been discovered. An exploit built on this vulnerability has been discovered in the wild targeting Firefox and Tor Browser users on Windows.

< 50.0.2,1

< 45.5.1,1

< 45.5.1,2

< 2.46

< 2.46

< 45.5.1

< 45.5.1

< 45.5.1

Mozilla Foundation reports:

CVE-2019-11733: Stored passwords in 'Saved Logins' can be copied without master password entry

When a master password is set, it is required to be entered again before stored passwords can be accessed in the 'Saved Logins' dialog. It was found that locally stored passwords can be copied to the clipboard thorough the 'copy password' context menu item without re-entering the master password if the master password had been previously entered in the same session, allowing for potential theft of stored passwords.

< 1.28.2

< 68.0.2,1

Mozilla Foundation reports:

CVE-2016-5287: Crash in nsTArray_base::SwapArrayElements

CVE-2016-5288: Web content can read cache entries

< 49.0.2,1

The Mozilla Project reports:

MFSA-2015-28 Privilege escalation through SVG navigation

MFSA-2015-29 Code execution through incorrect JavaScript bounds checking elimination

< 36.0.4,1

< 31.5.3,1

< 36.0.4,1

< 2.33.1

< 2.33.1

< 31.5.3

The Mozilla Project reports:

MFSA-2015-11 Miscellaneous memory safety hazards (rv:36.0 / rv:31.5)

MFSA-2015-12 Invoking Mozilla updater will load locally stored DLL files

MFSA-2015-13 Appended period to hostnames can bypass HPKP and HSTS protections

MFSA-2015-14 Malicious WebGL content crash when writing strings

MFSA-2015-15 TLS TURN and STUN connections silently fail to simple TCP connections

MFSA-2015-16 Use-after-free in IndexedDB

MFSA-2015-17 Buffer overflow in libstagefright during MP4 video playback

MFSA-2015-18 Double-free when using non-default memory allocators with a zero-length XHR

MFSA-2015-19 Out-of-bounds read and write while rendering SVG content

MFSA-2015-20 Buffer overflow during CSS restyling

MFSA-2015-21 Buffer underflow during MP3 playback

MFSA-2015-22 Crash using DrawTarget in Cairo graphics library

MFSA-2015-23 Use-after-free in Developer Console date with OpenType Sanitiser

MFSA-2015-24 Reading of local files through manipulation of form autocomplete

MFSA-2015-25 Local files or privileged URLs in pages can be opened into new tabs

MFSA-2015-26 UI Tour whitelisted sites in background tab can spoof foreground tabs

MFSA-2015-27 Caja Compiler JavaScript sandbox bypass

< 36.0,1

< 31.5.0,1

< 36.0,1

< 2.33

< 31.5.0

< 2.33

< 31.5.0

< 31.5.0

The Mozilla Project reports:

MFSA 2012-74 Miscellaneous memory safety hazards (rv:16.0/ rv:10.0.8)

MFSA 2012-75 select element persistance allows for attacks

MFSA 2012-76 Continued access to initial origin after setting document.domain

MFSA 2012-77 Some DOMWindowUtils methods bypass security checks

MFSA 2012-78 Reader Mode pages have chrome privileges

MFSA 2012-79 DOS and crash with full screen and history navigation

MFSA 2012-80 Crash with invalid cast when using instanceof operator

MFSA 2012-81 GetProperty function can bypass security checks

MFSA 2012-82 top object and location property accessible by plugins

MFSA 2012-83 Chrome Object Wrapper (COW) does not disallow acces to privileged functions or properties

MFSA 2012-84 Spoofing and script injection through location.hash

MFSA 2012-85 Use-after-free, buffer overflow, and out of bounds read issues found using Address Sanitizer

MFSA 2012-86 Heap memory corruption issues found using Address Sanitizer

MFSA 2012-87 Use-after-free in the IME State Manager

MFSA 2012-88 Miscellaneous memory safety hazards (rv:16.0.1)

MFSA 2012-89 defaultValue security checks not applied

gt 11.0,1 lt 16.0.1,1

< 10.0.9,1

< 10.0.9,1

< 2.13.1

< 10.0.9

< 2.13.1

gt 11.0 lt 16.0.1

< 10.0.9

gt 1.9.2.* lt 10.0.9

Mozilla Foundation reports:

CVE-2019-9815: Disable hyperthreading on content JavaScript threads on macOS

CVE-2019-9816: Type confusion with object groups and UnboxedObjects

CVE-2019-9817: Stealing of cross-domain images using canvas

CVE-2019-9818: Use-after-free in crash generation server

CVE-2019-9819: Compartment mismatch with fetch API

CVE-2019-9820: Use-after-free of ChromeEventHandler by DocShell

CVE-2019-9821: Use-after-free in AssertWorkerThread

CVE-2019-11691: Use-after-free in XMLHttpRequest

CVE-2019-11692: Use-after-free removing listeners in the event listener manager

CVE-2019-11693: Buffer overflow in WebGL bufferdata on Linux

CVE-2019-7317: Use-after-free in png_image_free of libpng library

CVE-2019-11694: Uninitialized memory memory leakage in Windows sandbox

CVE-2019-11695: Custom cursor can render over user interface outside of web content

CVE-2019-11696: Java web start .JNLP files are not recognized as executable files for download prompts

CVE-2019-11697: Pressing key combinations can bypass installation prompt delays and install extensions

CVE-2019-11698: Theft of user history data through drag and drop of hyperlinks to and from bookmarks

CVE-2019-11700: res: protocol can be used to open known local files

CVE-2019-11699: Incorrect domain name highlighting during page navigation

CVE-2019-11701: webcal: protocol default handler loads vulnerable web page

CVE-2019-9814: Memory safety bugs fixed in Firefox 67

CVE-2019-9800: Memory safety bugs fixed in Firefox 67 and Firefox ESR 60.7

< 67.0,1

< 56.2.10

< 2.53.0

< 60.7.0,1

< 60.7.0,2

< 60.7.0

Mozilla Foundation reports:

MFSA 2016-01 Miscellaneous memory safety hazards (rv:44.0 / rv:38.6)

MFSA 2016-02 Out of Memory crash when parsing GIF format images

MFSA 2016-03 Buffer overflow in WebGL after out of memory allocation

MFSA 2016-04 Firefox allows for control characters to be set in cookie names

MFSA 2016-06 Missing delay following user click events in protocol handler dialog

MFSA 2016-09 Addressbar spoofing attacks

MFSA 2016-10 Unsafe memory manipulation found through code inspection

MFSA 2016-11 Application Reputation service disabled in Firefox 43

< 44.0,1

< 2.41

< 38.6.0,1

< 38.6.0

The Mozilla Project reports:

MFSA-2015-46 Miscellaneous memory safety hazards (rv:38.0 / rv:31.7)

MFSA-2015-47 Buffer overflow parsing H.264 video with Linux Gstreamer

MFSA-2015-48 Buffer overflow with SVG content and CSS

MFSA-2015-49 Referrer policy ignored when links opened by middle-click and context menu

MFSA-2015-50 Out-of-bounds read and write in asm.js validation

MFSA-2015-51 Use-after-free during text processing with vertical text enabled

MFSA-2015-52 Sensitive URL encoded information written to Android logcat

MFSA-2015-53 Use-after-free due to Media Decoder Thread creation during shutdown

MFSA-2015-54 Buffer overflow when parsing compressed XML

MFSA-2015-55 Buffer overflow and out-of-bounds read while parsing MP4 video metadata

MFSA-2015-56 Untrusted site hosting trusted page can intercept webchannel responses

MFSA-2015-57 Privilege escalation through IPC channel messages

MFSA-2015-58 Mozilla Windows updater can be run outside of application directory

MFSA 2015-93 Integer overflows in libstagefright while processing MP4 video metadata

< 38.0,1

< 38.0,1

< 2.35

< 2.35

< 31.7.0,1

< 31.7.0

ge 32.0 lt 38.0

< 31.7.0

ge 32.0 lt 38.0

< 31.7.0

ge 32.0 lt 38.0

Mozilla Foundation reports:

Please reference CVE/URL list for details

< 52.0_1,1

< 2.49

ge 46.0,1 lt 52.0,1

< 45.8.0_1,1

ge 46.0,2 lt 52.0,2

< 45.8.0_1,2

ge 46.0 lt 52.0

< 45.8.0_1

ge 46.0 lt 52.0

< 45.8.0

A Mozilla Foundation Security Advisory reports:

Firefox and the Mozilla Suite support custom "favicons" through the tag. If a link tag is added to the page programmatically and a javascript: url is used, then script will run with elevated privileges and could run or install malicious software.

Workaround: Disable Javascript

< 1.0.3,1

< 1.0.3

< 1.7.7,2

ge 1.8.*,2

< 1.7.7

ge 1.8.*

ge 0

ge 0

ge 0

The Mozilla Project reports:

MFSA 2012-57 Miscellaneous memory safety hazards (rv:15.0/ rv:10.0.7)

MFSA 2012-58 Use-after-free issues found using Address Sanitizer

MFSA 2012-59 Location object can be shadowed using Object.defineProperty

MFSA 2012-60 Escalation of privilege through about:newtab

MFSA 2012-61 Memory corruption with bitmap format images with negative height

MFSA 2012-62 WebGL use-after-free and memory corruption

MFSA 2012-63 SVG buffer overflow and use-after-free issues

MFSA 2012-64 Graphite 2 memory corruption

MFSA 2012-65 Out-of-bounds read in format-number in XSLT

MFSA 2012-66 HTTPMonitor extension allows for remote debugging without explicit activation

MFSA 2012-67 Installer will launch incorrect executable following new installation

MFSA 2012-68 DOMParser loads linked resources in extensions when parsing text/html

MFSA 2012-69 Incorrect site SSL certificate data display

MFSA 2012-70 Location object security checks bypassed by chrome code

MFSA 2012-71 Insecure use of __android_log_print

MFSA 2012-72 Web console eval capable of executing chrome-privileged code

gt 11.0,1 lt 15.0,1

< 10.0.7,1

< 10.0.7,1

< 2.12

< 10.0.7

< 2.12

gt 11.0 lt 15.0

< 10.0.7

gt 1.9.2.* lt 10.0.7

The Mozilla Foundation reports of multiple security issues in Firefox, Seamonkey, and Thunderbird. Several of these issues can probably be used to run arbitrary code with the privilege of the user running the program.

• MFSA 2006-64 Crashes with evidence of memory corruption (rv:1.8.0.7)
• MFSA 2006-63 JavaScript execution in mail via XBL
• MFSA 2006-62 Popup-blocker cross-site scripting (XSS)
• MFSA 2006-61 Frame spoofing using document.open()
• MFSA 2006-60 RSA Signature Forgery
• MFSA 2006-59 Concurrency-related vulnerability
• MFSA 2006-58 Auto-Update compromise through DNS and SSL spoofing
• MFSA 2006-57 JavaScript Regular Expression Heap Corruption

< 1.5.0.7,1

gt 2.*,1 lt 2.0_1,1

< 1.5.0.7

< 1.0.5

< 1.5.0.7

< 3.0.a2006.09.21

< 1.5.a2006.09.21

gt 0

The Mozilla Foundation reports:

MFSA 2008-58 Parsing error in E4X default namespace

MFSA 2008-57 -moz-binding property bypasses security checks on codebase principals

MFSA 2008-56 nsXMLHttpRequest::NotifyEventListeners() same-origin violation

MFSA 2008-55 Crash and remote code execution in nsFrameManager

MFSA 2008-54 Buffer overflow in http-index-format parser

MFSA 2008-53 XSS and JavaScript privilege escalation via session restore

MFSA 2008-52 Crashes with evidence of memory corruption (rv:1.9.0.4/1.8.1.18)

MFSA 2008-51 file: URIs inherit chrome privileges when opened from chrome

MFSA 2008-50 Crash and remote code execution via __proto__ tampering

MFSA 2008-49 Arbitrary code execution via Flash Player dynamic module unloading

MFSA 2008-48 Image stealing via canvas and HTTP redirect

MFSA 2008-47 Information stealing via local shortcut files

MFSA 2008-46 Heap overflow when canceling newsgroup message

MFSA 2008-44 resource: traversal vulnerabilities

MFSA 2008-43 BOM characters stripped from JavaScript before execution

MFSA 2008-42 Crashes with evidence of memory corruption (rv:1.9.0.2/1.8.1.17)

MFSA 2008-41 Privilege escalation via XPCnativeWrapper pollution

MFSA 2008-38 nsXMLDocument::OnChannelRedirect() same-origin violation

MFSA 2008-37 UTF-8 URL stack buffer overflow

< 2.0.0.18,1

gt 3.*,1 lt 3.0.4,1

< 2.0.0.18

< 1.1.13

< 2.0.0.18

A Mozilla Foundation Security Advisory reports:

A predictable name is used for the plugin temporary directory. A malicious local user could symlink this to the victim's home directory and wait for the victim to run Firefox. When Firefox shuts down the victim's directory would be erased.

< 1.0.1,1

< 1.7.6,2

< 1.7.6

ge 0

ge 0

ge 0

Mozilla Foundation reports:

CVE-2017-7843: Web worker in Private Browsing mode can write IndexedDB data

CVE-2017-7844: Visited history information leak through SVG image

ge 57.0,1 lt 57.0.1,1

< 56.0.2_11,1

< 56.0.s20171130

< 2.49.2

< 52.5.1,1

< 52.5.1,2

Mozilla Foundation reports:

CVE-2016-2827 - Out-of-bounds read in mozilla::net::IsValidReferrerPolicy [low]

CVE-2016-5256 - Memory safety bugs fixed in Firefox 49 [critical]

CVE-2016-5257 - Memory safety bugs fixed in Firefox 49 and Firefox ESR 45.4 [critical]

CVE-2016-5270 - Heap-buffer-overflow in nsCaseTransformTextRunFactory::TransformString [high]

CVE-2016-5271 - Out-of-bounds read in PropertyProvider::GetSpacingInternal [low]

CVE-2016-5272 - Bad cast in nsImageGeometryMixin [high]

CVE-2016-5273 - crash in mozilla::a11y::HyperTextAccessible::GetChildOffset [high]

CVE-2016-5274 - use-after-free in nsFrameManager::CaptureFrameState [high]

CVE-2016-5275 - global-buffer-overflow in mozilla::gfx::FilterSupport::ComputeSourceNeededRegions [critical]

CVE-2016-5276 - Heap-use-after-free in mozilla::a11y::DocAccessible::ProcessInvalidationList [high]

CVE-2016-5277 - Heap-use-after-free in nsRefreshDriver::Tick [high]

CVE-2016-5278 - Heap-buffer-overflow in nsBMPEncoder::AddImageFrame [critical]

CVE-2016-5279 - Full local path of files is available to web pages after drag and drop [moderate]

CVE-2016-5280 - Use-after-free in mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap [high]

CVE-2016-5281 - use-after-free in DOMSVGLength [high]

CVE-2016-5282 - Don't allow content to request favicons from non-whitelisted schemes [moderate]

CVE-2016-5283 -