The Mozilla Foundation reports:

Redirection from an HTTP connection to a data: URL assigns the referring site's origin to the data: URL in some circumstances. This can result in same-origin violations against a domain if it loads resources from malicious sites. Cross-origin setting of cookies has been demonstrated without the ability to read them.

< 50.0.1,1

The Mozilla Project reports:

MFSA 2014-66 IFRAME sandbox same-origin access through redirect

MFSA 2014-65 Certificate parsing broken by non-standard character encoding

MFSA 2014-64 Crash in Skia library when scaling high quality images

MFSA 2014-63 Use-after-free while when manipulating certificates in the trusted cache

MFSA 2014-62 Exploitable WebGL crash with Cesium JavaScript library

MFSA 2014-61 Use-after-free with FireOnStateChange event

MFSA 2014-60 Toolbar dialog customization event spoofing

MFSA 2014-59 Use-after-free in DirectWrite font handling

MFSA 2014-58 Use-after-free in Web Audio due to incorrect control message ordering

MFSA 2014-57 Buffer overflow during Web Audio buffering for playback

MFSA 2014-56 Miscellaneous memory safety hazards (rv:31.0 / rv:24.7)

< 31.0,1

< 24.7.0,1

< 31.0,1

< 24.7.0

< 24.7.0

< 3.16.1_2

The Mozilla Project reports:

MFSA 2012-34 Miscellaneous memory safety hazards (rv:13.0/ rv:10.0.5)

MFSA 2012-36 Content Security Policy inline-script bypass

MFSA 2012-37 Information disclosure though Windows file shares and shortcut files

MFSA 2012-38 Use-after-free while replacing/inserting a node in a document

MFSA 2012-39 NSS parsing errors with zero length items

MFSA 2012-40 Buffer overflow and use-after-free issues found using Address Sanitizer

gt 11.0,1 lt 13.0,1

< 10.0.5,1

< 10.0.5,1

< 2.10

< 10.0.5

< 2.10

gt 11.0 lt 13.0

< 10.0.5

gt 1.9.2.* lt 10.0.5

The Mozilla Project reports:

MFSA 2013-41 Miscellaneous memory safety hazards (rv:21.0 / rv:17.0.6)

MFSA 2013-42 Privileged access for content level constructor

MFSA 2013-43 File input control has access to full path

MFSA 2013-44 Local privilege escalation through Mozilla Maintenance Service

MFSA 2013-45 Mozilla Updater fails to update some Windows Registry entries

MFSA 2013-46 Use-after-free with video and onresize event

MFSA 2013-47 Uninitialized functions in DOMSVGZoomEvent

MFSA 2013-48 Memory corruption found using Address Sanitizer

gt 18.0,1 lt 21.0,1

< 17.0.6,1

< 17.0.6,1

< 2.17.1

< 17.0.6

< 2.17.1

gt 11.0 lt 17.0.6

The Mozilla Project reports:

MFSA 2013-116 JPEG information leak

MFSA 2013-105 Application Installation doorhanger persists on navigation

MFSA 2013-106 Character encoding cross-origin XSS attack

MFSA 2013-107 Sandbox restrictions not applied to nested object elements

MFSA 2013-108 Use-after-free in event listeners

MFSA 2013-109 Use-after-free during Table Editing

MFSA 2013-110 Potential overflow in JavaScript binary search algorithms

MFSA 2013-111 Segmentation violation when replacing ordered list elements

MFSA 2013-112 Linux clipboard information disclosure though selection paste

MFSA 2013-113 Trust settings for built-in roots ignored during EV certificate validation

MFSA 2013-114 Use-after-free in synthetic mouse movement

MFSA 2013-115 GetElementIC typed array stubs can be generated outside observed typesets

MFSA 2013-116 JPEG information leak

MFSA 2013-117 Mis-issued ANSSI/DCSSI certificate

gt 25.0,1 lt 26.0,1

< 24.2.0,1

< 26.0,1

< 2.23

< 24.2.0

< 2.23

< 24.2.0

The Mozilla Project reports:

MFSA 2014-34 Miscellaneous memory safety hazards (rv:29.0 / rv:24.5)

MFSA 2014-35 Privilege escalation through Mozilla Maintenance Service Installer

MFSA 2014-36 Web Audio memory corruption issues

MFSA 2014-37 Out of bounds read while decoding JPG images

MFSA 2014-38 Buffer overflow when using non-XBL object as XBL

MFSA 2014-39 Use-after-free in the Text Track Manager for HTML video

MFSA 2014-41 Out-of-bounds write in Cairo

MFSA 2014-42 Privilege escalation through Web Notification API

MFSA 2014-43 Cross-site scripting (XSS) using history navigations

MFSA 2014-44 Use-after-free in imgLoader while resizing images

MFSA 2014-45 Incorrect IDNA domain name matching for wildcard certificates

MFSA 2014-46 Use-after-free in nsHostResolve

MFSA 2014-47 Debugger can bypass XrayWrappers with JavaScript

< 29.0,1

< 24.5.0,1

< 29.0,1

< 2.26

< 24.5.0

< 2.26

< 24.5.0

Mozilla Foundation reports:

CVE-2019-11708: sandbox escape using Prompt:Open

Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the user's computer.

< 67.0.4,1

< 56.2.12

< 60.7.2,1

The Mozilla Project reports:

MFSA 2012-74 Miscellaneous memory safety hazards (rv:16.0/ rv:10.0.8)

MFSA 2012-75 select element persistance allows for attacks

MFSA 2012-76 Continued access to initial origin after setting document.domain

MFSA 2012-77 Some DOMWindowUtils methods bypass security checks

MFSA 2012-78 Reader Mode pages have chrome privileges

MFSA 2012-79 DOS and crash with full screen and history navigation

MFSA 2012-80 Crash with invalid cast when using instanceof operator

MFSA 2012-81 GetProperty function can bypass security checks

MFSA 2012-82 top object and location property accessible by plugins

MFSA 2012-83 Chrome Object Wrapper (COW) does not disallow acces to privileged functions or properties

MFSA 2012-84 Spoofing and script injection through location.hash

MFSA 2012-85 Use-after-free, buffer overflow, and out of bounds read issues found using Address Sanitizer

MFSA 2012-86 Heap memory corruption issues found using Address Sanitizer

MFSA 2012-87 Use-after-free in the IME State Manager

MFSA 2012-88 Miscellaneous memory safety hazards (rv:16.0.1)

MFSA 2012-89 defaultValue security checks not applied

gt 11.0,1 lt 16.0.1,1

< 10.0.9,1

< 10.0.9,1

< 2.13.1

< 10.0.9

< 2.13.1

gt 11.0 lt 16.0.1

< 10.0.9

gt 1.9.2.* lt 10.0.9

Mozilla Foundation reports:

CVE-2019-9790: Use-after-free when removing in-use DOM elements

CVE-2019-9791: Type inference is incorrect for constructors entered through on-stack replacement with IonMonkey

CVE-2019-9792: IonMonkey leaks JS_OPTIMIZED_OUT magic value to script

CVE-2019-9793: Improper bounds checks when Spectre mitigations are disabled

CVE-2019-9794: Command line arguments not discarded during execution

CVE-2019-9795: Type-confusion in IonMonkey JIT compiler

CVE-2019-9796: Use-after-free with SMIL animation controller

CVE-2019-9797: Cross-origin theft of images with createImageBitmap

CVE-2019-9798: Library is loaded from world writable APITRACE_LIB location

CVE-2019-9799: Information disclosure via IPC channel messages

CVE-2019-9801: Windows programs that are not 'URL Handlers' are exposed to web content

CVE-2019-9802: Chrome process information leak

CVE-2019-9803: Upgrade-Insecure-Requests incorrectly enforced for same-origin navigation

CVE-2019-9804: Code execution through 'Copy as cURL' in Firefox Developer Tools on macOS

CVE-2019-9805: Potential use of uninitialized memory in Prio

CVE-2019-9806: Denial of service through successive FTP authorization prompts

CVE-2019-9807: Text sent through FTP connection can be incorporated into alert messages

CVE-2019-9809: Denial of service through FTP modal alert error messages

CVE-2019-9808: WebRTC permissions can display incorrect origin with data: and blob: URLs

CVE-2019-9789: Memory safety bugs fixed in Firefox 66

CVE-2019-9788: Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6

< 66.0_3,1

< 56.2.9

< 2.53.0

< 60.6.0,1

< 60.6.0,2

< 60.6.0

Mozilla Foundation reports:

CVE-2018-12377: Use-after-free in refresh driver timers

CVE-2018-12378: Use-after-free in IndexedDB

CVE-2018-12379: Out-of-bounds write with malicious MAR file

CVE-2017-16541: Proxy bypass using automount and autofs

CVE-2018-12381: Dragging and dropping Outlook email message results in page navigation

CVE-2018-12382: Addressbar spoofing with javascript URI on Firefox for Android

CVE-2018-12383: Setting a master password post-Firefox 58 does not delete unencrypted previously stored passwords

CVE-2018-12375: Memory safety bugs fixed in Firefox 62

CVE-2018-12376: Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2

< 62.0_1,1

< 56.2.3

< 2.49.5

< 60.2.0_1,1

< 60.2.0,2

< 60.2

The Mozilla Project reports:

MFSA 2013-93 Miscellaneous memory safety hazards (rv:25.0 / rv:24.1 / rv:17.0.10)

MFSA 2013-94 Spoofing addressbar though SELECT element

MFSA 2013-95 Access violation with XSLT and uninitialized data

MFSA 2013-96 Improperly initialized memory and overflows in some JavaScript functions

MFSA 2013-97 Writing to cycle collected object during image decoding

MFSA 2013-98 Use-after-free when updating offline cache

MFSA 2013-99 Security bypass of PDF.js checks using iframes

MFSA 2013-100 Miscellaneous use-after-free issues found through ASAN fuzzing

MFSA 2013-101 Memory corruption in workers

MFSA 2013-102 Use-after-free in HTML document templates

< 24.1.0,1

< 25.0,1

< 2.22

< 24.1.0

< 2.22

< 24.1.0

Mozilla Foundation reports:

Please reference CVE/URL list for details

< 51.0_1,1

< 2.48

< 45.7.0,1

< 45.7.0,2

< 45.7.0

Mozilla Foundation reports:

MFSA 2016-49 Miscellaneous memory safety hazards (rv:47.0 / rv:45.2)

MFSA 2016-50 Buffer overflow parsing HTML5 fragments

MFSA 2016-51 Use-after-free deleting tables from a contenteditable document

MFSA 2016-52 Addressbar spoofing though the SELECT element

MFSA 2016-54 Partial same-origin-policy through setting location.host through data URI

MFSA 2016-56 Use-after-free when textures are used in WebGL operations after recycle pool destruction

MFSA 2016-57 Incorrect icon displayed on permissions notifications

MFSA 2016-58 Entering fullscreen and persistent pointerlock without user permission

MFSA 2016-59 Information disclosure of disabled plugins through CSS pseudo-classes

MFSA 2016-60 Java applets bypass CSP protections

< 47.0,1

< 2.44

< 45.2.0,1

< 45.2.0,2

< 45.2.0

The Mozilla Foundation reports:

An integer overflow in createImageBitmap() was reported through the Pwn2Own contest. The fix for this vulnerability disables the experimental extensions to the createImageBitmap API. This function runs in the content sandbox, requiring a second vulnerability to compromise a user's computer.

< 52.0.1,1

Mozilla Foundation reports:

CVE-2018-12391: HTTP Live Stream audio data is accessible cross-origin

CVE-2018-12392: Crash with nested event loops

CVE-2018-12393: Integer overflow during Unicode conversion while loading JavaScript

CVE-2018-12395: WebExtension bypass of domain restrictions through header rewriting

CVE-2018-12396: WebExtension content scripts can execute in disallowed contexts

CVE-2018-12397:

CVE-2018-12398: CSP bypass through stylesheet injection in resource URIs

CVE-2018-12399: Spoofing of protocol registration notification bar

CVE-2018-12400: Favicons are cached in private browsing mode on Firefox for Android

CVE-2018-12401: DOS attack through special resource URI parsing

CVE-2018-12402: SameSite cookies leak when pages are explicitly saved

CVE-2018-12403: Mixed content warning is not displayed when HTTPS page loads a favicon over HTTP

CVE-2018-12388: Memory safety bugs fixed in Firefox 63

CVE-2018-12390: Memory safety bugs fixed in Firefox 63 and Firefox ESR 60.3

< 63.0_1,1

< 56.2.5

< 2.53.0

< 60.3.0,1

< 60.3.0,2

< 60.3.0

Mozilla Foundation reports:

Please reference CVE/URL list for details

< 53.0_2,1

< 2.49.1

ge 46.0,1 lt 52.1.0_2,1

< 45.9.0,1

ge 46.0,2 lt 52.1.0,2

< 45.9.0,2

ge 46.0 lt 52.1.0

< 45.9.0

ge 46.0 lt 52.1.0

< 45.9.0

Mozilla Foundation reports:

Please reference CVE/URL list for details

< 50.0_1,1

< 2.47

< 45.5.0,1

< 45.5.0,2

< 45.5.0

Mozilla Foundation reports:

MFSA 2009-64 Crashes with evidence of memory corruption (rv:1.9.1.4/ 1.9.0.15)

MFSA 2009-63 Upgrade media libraries to fix memory safety bugs

MFSA 2009-62 Download filename spoofing with RTL override

MFSA 2009-61 Cross-origin data theft through document.getSelection()

MFSA 2009-59 Heap buffer overflow in string to number conversion

MFSA 2009-57 Chrome privilege escalation in XPCVariant::VariantDataToJS()

MFSA 2009-56 Heap buffer overflow in GIF color map parser

MFSA 2009-55 Crash in proxy auto-configuration regexp parsing

MFSA 2009-54 Crash with recursive web-worker calls

MFSA 2009-53 Local downloaded file tampering

MFSA 2009-52 Form history vulnerable to stealing

gt 3.5.*,1 lt 3.5.4,1

gt 3.*,1 lt 3.0.15,1

< 3.0.15

< 2.0

Mozilla Foundation reports:

CVE-2016-5287: Crash in nsTArray_base::SwapArrayElements

CVE-2016-5288: Web content can read cache entries

< 49.0.2,1

The Mozilla Project reports:

MFSA 2015-95 Add-on notification bypass through data URLs

MFSA 2015-94 Use-after-free when resizing canvas element during restyling

< 40.0.3,1

< 40.0.3,1

< 38.2.1,1

The Mozilla Project reports:

MFSA 2015-133 NSS and NSPR memory corruption issues

MFSA 2015-132 Mixed content WebSocket policy bypass through workers

MFSA 2015-131 Vulnerabilities found through code inspection

MFSA 2015-130 JavaScript garbage collection crash with Java applet

MFSA 2015-129 Certain escaped characters in host of Location-header are being treated as non-escaped

MFSA 2015-128 Memory corruption in libjar through zip files

MFSA 2015-127 CORS preflight is bypassed when non-standard Content-Type headers are received

MFSA 2015-126 Crash when accessing HTML tables with accessibility tools on OS X

MFSA 2015-125 XSS attack through intents on Firefox for Android

MFSA 2015-124 Android intents can be used on Firefox for Android to open privileged files

MFSA 2015-123 Buffer overflow during image interactions in canvas

MFSA 2015-122 Trailing whitespace in IP address hostnames can bypass same-origin policy

MFSA 2015-121 Disabling scripts in Add-on SDK panels has no effect

MFSA 2015-120 Reading sensitive profile files through local HTML file on Android

MFSA 2015-119 Firefox for Android addressbar can be removed after fullscreen mode

MFSA 2015-118 CSP bypass due to permissive Reader mode whitelist

MFSA 2015-117 Information disclosure through NTLM authentication

MFSA 2015-116 Miscellaneous memory safety hazards (rv:42.0 / rv:38.4)

< 4.10.10

< 4.10.10

ge 3.20 lt 3.20.1

ge 3.19.3 lt 3.19.4

< 3.19.2.1

< 42.0,1

< 42.0,1

< 2.39

< 2.39

< 38.4.0,1

< 38.4.0

< 38.4.0

< 38.4.0

The Mozilla Project reports:

MFSA-2015-28 Privilege escalation through SVG navigation

MFSA-2015-29 Code execution through incorrect JavaScript bounds checking elimination

< 36.0.4,1

< 31.5.3,1

< 36.0.4,1

< 2.33.1

< 2.33.1

< 31.5.3

The Mozilla Foundation reports:

Mozilla developer Johann Hofmann reported that unsanitized output in the browser UI can lead to arbitrary code execution.

< 58.0.1,1

< 56.0.3.65

Mozilla Foundation reports:

CVE-2019-9811: Sandbox escape via installation of malicious language pack

CVE-2019-11711: Script injection within domain through inner window reuse

CVE-2019-11712: Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects

CVE-2019-11713: Use-after-free with HTTP/2 cached stream

CVE-2019-11714: NeckoChild can trigger crash when accessed off of main thread

CVE-2019-11729: Empty or malformed p256-ECDH public keys may trigger a segmentation fault

CVE-2019-11715: HTML parsing error can contribute to content XSS

CVE-2019-11716: globalThis not enumerable until accessed

CVE-2019-11717: Caret character improperly escaped in origins

CVE-2019-11718: Activity Stream writes unsanitized content to innerHTML

CVE-2019-11719: Out-of-bounds read when importing curve25519 private key

CVE-2019-11720: Character encoding XSS vulnerability

CVE-2019-11721: Domain spoofing through unicode latin 'kra' character

CVE-2019-11730: Same-origin policy treats all files in a directory as having the same-origin

CVE-2019-11723: Cookie leakage during add-on fetching across private browsing boundaries

CVE-2019-11724: Retired site input.mozilla.org has remote troubleshooting permissions

CVE-2019-11725: Websocket resources bypass safebrowsing protections

CVE-2019-11727: PKCS#1 v1.5 signatures can be used for TLS 1.3

CVE-2019-11728: Port scanning through Alt-Svc header

CVE-2019-11710: Memory safety bugs fixed in Firefox 68

CVE-2019-11709: Memory safety bugs fixed in Firefox 68 and Firefox ESR 60.8

< 68.0_4,1

< 56.2.12

< 2.53.0

< 60.8.0,1

< 60.8.0,2

< 60.8.0

The Mozilla Project reports:

MFSA 2012-90 Fixes for Location object issues

gt 11.0,1 lt 16.0.2,1

< 10.0.10,1

< 10.0.10,1

< 2.13.2

< 10.0.10

< 2.13.2

gt 11.0 lt 16.0.2

< 10.0.10

gt 1.9.2.* lt 10.0.10

Mozilla Foundation reports:

Please reference CVE/URL list for details

< 54.0,1

< 2.49.1

< 52.2.0,1

< 52.2.0,2

< 52.2.0

The Mozilla Project reports:

MFSA 2012-20 Miscellaneous memory safety hazards (rv:12.0/ rv:10.0.4)

MFSA 2012-21 Multiple security flaws fixed in FreeType v2.4.9

MFSA 2012-22 use-after-free in IDBKeyRange

MFSA 2012-23 Invalid frees causes heap corruption in gfxImageSurface

MFSA 2012-24 Potential XSS via multibyte content processing errors

MFSA 2012-25 Potential memory corruption during font rendering using cairo-dwrite

MFSA 2012-26 WebGL.drawElements may read illegal video memory due to FindMaxUshortElement error

MFSA 2012-27 Page load short-circuit can lead to XSS

MFSA 2012-28 Ambiguous IPv6 in Origin headers may bypass webserver access restrictions

MFSA 2012-29 Potential XSS through ISO-2022-KR/ISO-2022-CN decoding issues

MFSA 2012-30 Crash with WebGL content using textImage2D

MFSA 2012-31 Off-by-one error in OpenType Sanitizer

MFSA 2012-32 HTTP Redirections and remote content can be read by javascript errors

MFSA 2012-33 Potential site identity spoofing when loading RSS and Atom feeds

gt 11.0,1 lt 12.0,1

< 10.0.4,1

< 10.0.4,1

< 2.9

< 10.0.4

< 2.9

gt 11.0 lt 12.0

< 10.0.4

gt 1.9.2.* lt 10.0.4

Mozilla Project reports:

MFSA 2010-24 XMLDocument::load() doesn't check nsIContentPolicy

MFSA 2010-23 Image src redirect to mailto: URL opens email editor

MFSA 2010-22 Update NSS to support TLS renegotiation indication

MFSA 2010-21 Arbitrary code execution with Firebug XMLHttpRequestSpy

MFSA 2010-20 Chrome privilege escalation via forced URL drag and drop

MFSA 2010-19 Dangling pointer vulnerability in nsPluginArray

MFSA 2010-18 Dangling pointer vulnerability in nsTreeContentView

MFSA 2010-17 Remote code execution with use-after-free in nsTreeSelection

MFSA 2010-16 Crashes with evidence of memory corruption (rv:1.9.2.2/ 1.9.1.9/ 1.9.0.19)

gt 2.0 lt 2.0.4

ge 3.0 lt 3.0.4

gt 3.5.*,1 lt 3.5.9,1

gt 3.*,1 lt 3.0.19,1

< 3.0.19,1

< 3.5.9

< 3.12.5

Mozilla Foundation reports:

MFSA 2016-01 Miscellaneous memory safety hazards (rv:44.0 / rv:38.6)

MFSA 2016-02 Out of Memory crash when parsing GIF format images

MFSA 2016-03 Buffer overflow in WebGL after out of memory allocation

MFSA 2016-04 Firefox allows for control characters to be set in cookie names

MFSA 2016-06 Missing delay following user click events in protocol handler dialog

MFSA 2016-09 Addressbar spoofing attacks

MFSA 2016-10 Unsafe memory manipulation found through code inspection

MFSA 2016-11 Application Reputation service disabled in Firefox 43

< 44.0,1

< 2.41

< 38.6.0,1

< 38.6.0

The Mozilla Project reports:

MFSA 2012-91 Miscellaneous memory safety hazards (rv:17.0/ rv:10.0.11)

MFSA 2012-92 Buffer overflow while rendering GIF images

MFSA 2012-93 evalInSanbox location context incorrectly applied

MFSA 2012-94 Crash when combining SVG text on path with CSS

MFSA 2012-95 Javascript: URLs run in privileged context on New Tab page

MFSA 2012-96 Memory corruption in str_unescape

MFSA 2012-97 XMLHttpRequest inherits incorrect principal within sandbox

MFSA 2012-98 Firefox installer DLL hijacking

MFSA 2012-99 XrayWrappers exposes chrome-only properties when not in chrome compartment

MFSA 2012-100 Improper security filtering for cross-origin wrappers

MFSA 2012-101 Improper character decoding in HZ-GB-2312 charset

MFSA 2012-102 Script entered into Developer Toolbar runs with chrome privileges

MFSA 2012-103 Frames can shadow top.location

MFSA 2012-104 CSS and HTML injection through Style Inspector

MFSA 2012-105 Use-after-free and buffer overflow issues found

MFSA 2012-106 Use-after-free, buffer overflow, and memory corruption issues found using Address Sanitizer

gt 11.0,1 lt 17.0,1

< 10.0.11,1

< 10.0.11,1

< 2.14

< 10.0.11

< 2.14

gt 11.0 lt 17.0

< 10.0.11

gt 1.9.2.* lt 10.0.11

Mozilla Foundation reports:

CVE-2018-18356: Use-after-free in Skia

CVE-2019-5785: Integer overflow in Skia

CVE-2018-18511: Cross-origin theft of images with ImageBitmapRenderingContext

< 65.0.1,1

< 60.5.1,1

< 60.5.1

Mozilla Foundation reports:

CVE-2018-5127: Buffer overflow manipulating SVG animatedPathSegList

CVE-2018-5128: Use-after-free manipulating editor selection ranges

CVE-2018-5129: Out-of-bounds write with malformed IPC messages

CVE-2018-5130: Mismatched RTP payload type can trigger memory corruption

CVE-2018-5131: Fetch API improperly returns cached copies of no-store/no-cache resources

CVE-2018-5132: WebExtension Find API can search privileged pages

CVE-2018-5133: Value of the app.support.baseURL preference is not properly sanitized

CVE-2018-5134: WebExtensions may use view-source: URLs to bypass content restrictions

CVE-2018-5135: WebExtension browserAction can inject scripts into unintended contexts

CVE-2018-5136: Same-origin policy violation with data: URL shared workers

CVE-2018-5137: Script content can access legacy extension non-contentaccessible resources

CVE-2018-5138: Android Custom Tab address spoofing through long domain names

CVE-2018-5140: Moz-icon images accessible to web content through moz-icon: protocol

CVE-2018-5141: DOS attack through notifications Push API

CVE-2018-5142: Media Capture and Streams API permissions display incorrect origin with data: and blob: URLs

CVE-2018-5143: Self-XSS pasting javascript: URL with embedded tab into addressbar

CVE-2018-5126: Memory safety bugs fixed in Firefox 59

CVE-2018-5125: Memory safety bugs fixed in Firefox 59 and Firefox ESR 52.7

< 59.0_1,1

< 56.0.4.36_3

< 2.49.3

< 52.7.0,1

< 52.7.0,2

< 52.7.0

The Mozilla Foundation reports:

MFSA 2016-13 Jason Pang of OneSignal reported that service workers intercept responses to plugin network requests made through the browser. Plugins which make security decisions based on the content of network requests can have these decisions subverted if a service worker forges responses to those requests. For example, a forged crossdomain.xml could allow a malicious site to violate the same-origin policy using the Flash plugin.

< 44.0.2,1

< 44.0.2,1

The Mozilla Project reports:

MFSA 2014-48 Miscellaneous memory safety hazards (rv:30.0 / rv:24.6)

MFSA 2014-49 Use-after-free and out of bounds issues found using Address Sanitizer

MFSA 2014-51 Use-after-free in Event Listener Manager

MFSA 2014-52 Use-after-free with SMIL Animation Controller

MFSA 2014-53 Buffer overflow in Web Audio Speex resampler

MFSA 2014-54 Buffer overflow in Gamepad API

MFSA 2014-55 Out of bounds write in NSPR

< 30.0,1

< 24.6.0,1

< 2.26.1

< 30.0,1

< 2.26.1

< 24.6.0

< 4.10.6

< 24.6.0

Mozilla Foundation reports:

CVE-2019-9815: Disable hyperthreading on content JavaScript threads on macOS

CVE-2019-9816: Type confusion with object groups and UnboxedObjects

CVE-2019-9817: Stealing of cross-domain images using canvas

CVE-2019-9818: Use-after-free in crash generation server

CVE-2019-9819: Compartment mismatch with fetch API

CVE-2019-9820: Use-after-free of ChromeEventHandler by DocShell

CVE-2019-9821: Use-after-free in AssertWorkerThread

CVE-2019-11691: Use-after-free in XMLHttpRequest

CVE-2019-11692: Use-after-free removing listeners in the event listener manager

CVE-2019-11693: Buffer overflow in WebGL bufferdata on Linux

CVE-2019-7317: Use-after-free in png_image_free of libpng library

CVE-2019-11694: Uninitialized memory memory leakage in Windows sandbox

CVE-2019-11695: Custom cursor can render over user interface outside of web content

CVE-2019-11696: Java web start .JNLP files are not recognized as executable files for download prompts

CVE-2019-11697: Pressing key combinations can bypass installation prompt delays and install extensions

CVE-2019-11698: Theft of user history data through drag and drop of hyperlinks to and from bookmarks

CVE-2019-11700: res: protocol can be used to open known local files

CVE-2019-11699: Incorrect domain name highlighting during page navigation

CVE-2019-11701: webcal: protocol default handler loads vulnerable web page

CVE-2019-9814: Memory safety bugs fixed in Firefox 67

CVE-2019-9800: Memory safety bugs fixed in Firefox 67 and Firefox ESR 60.7

< 67.0,1

< 56.2.10

< 2.53.0

< 60.7.0,1

< 60.7.0,2

< 60.7.0

Mozilla Foundation reports:

Please reference CVE/URL list for details

< 55.0,1

< 2.49.1

< 52.3.0,1

< 52.3.0,2

< 52.3.0

The Mozilla Project reports:

MFSA 2015-134 Miscellaneous memory safety hazards (rv:43.0 / rv:38.5)

MFSA 2015-135 Crash with JavaScript variable assignment with unboxed objects

MFSA 2015-136 Same-origin policy violation using perfomance.getEntries and history navigation

MFSA 2015-137 Firefox allows for control characters to be set in cookies

MFSA 2015-138 Use-after-free in WebRTC when datachannel is used after being destroyed

MFSA 2015-139 Integer overflow allocating extremely large textures

MFSA 2015-140 Cross-origin information leak through web workers error events

MFSA 2015-141 Hash in data URI is incorrectly parsed

MFSA 2015-142 DOS due to malformed frames in HTTP/2

MFSA 2015-143 Linux file chooser crashes on malformed images due to flaws in Jasper library

MFSA 2015-144 Buffer overflows found through code inspection

MFSA 2015-145 Underflow through code inspection

MFSA 2015-146 Integer overflow in MP4 playback in 64-bit versions

MFSA 2015-147 Integer underflow and buffer overflow processing MP4 metadata in libstagefright

MFSA 2015-148 Privilege escalation vulnerabilities in WebExtension APIs

MFSA 2015-149 Cross-site reading attack through data and view-source URIs

< 43.0,1

< 43.0,1

< 2.40

< 2.40

< 38.5.0,1

< 38.5.0

< 38.5.0

< 38.5.0

Mozilla Foundation reports:

CVE-2019-11733: Stored passwords in 'Saved Logins' can be copied without master password entry

When a master password is set, it is required to be entered again before stored passwords can be accessed in the 'Saved Logins' dialog. It was found that locally stored passwords can be copied to the clipboard thorough the 'copy password' context menu item without re-entering the master password if the master password had been previously entered in the same session, allowing for potential theft of stored passwords.

< 1.28.2

< 68.0.2,1

The Mozilla Project reports:

MFSA-2015-46 Miscellaneous memory safety hazards (rv:38.0 / rv:31.7)

MFSA-2015-47 Buffer overflow parsing H.264 video with Linux Gstreamer

MFSA-2015-48 Buffer overflow with SVG content and CSS

MFSA-2015-49 Referrer policy ignored when links opened by middle-click and context menu

MFSA-2015-50 Out-of-bounds read and write in asm.js validation

MFSA-2015-51 Use-after-free during text processing with vertical text enabled

MFSA-2015-52 Sensitive URL encoded information written to Android logcat

MFSA-2015-53 Use-after-free due to Media Decoder Thread creation during shutdown

MFSA-2015-54 Buffer overflow when parsing compressed XML

MFSA-2015-55 Buffer overflow and out-of-bounds read while parsing MP4 video metadata

MFSA-2015-56 Untrusted site hosting trusted page can intercept webchannel responses

MFSA-2015-57 Privilege escalation through IPC channel messages

MFSA-2015-58 Mozilla Windows updater can be run outside of application directory

MFSA 2015-93 Integer overflows in libstagefright while processing MP4 video metadata

< 38.0,1

< 38.0,1

< 2.35

< 2.35

< 31.7.0,1

< 31.7.0

ge 32.0 lt 38.0

< 31.7.0

ge 32.0 lt 38.0

< 31.7.0

ge 32.0 lt 38.0

Mozilla Foundation reports:

MFSA 2009-51 Chrome privilege escalation with FeedWriter

MFSA 2009-50 Location bar spoofing via tall line-height Unicode characters

MFSA 2009-49 TreeColumns dangling pointer vulnerability

MFSA 2009-48 Insufficient warning for PKCS11 module installation and removal

MFSA 2009-47 Crashes with evidence of memory corruption (rv:1.9.1.3/1.9.0.14)

gt 3.5.*,1 lt 3.5.3,1

gt 3.*,1 lt 3.0.13,1

The Mozilla Foundation reports:

A heap buffer overflow can occur in the Skia library when rasterizing paths using a maliciously crafted SVG file with anti-aliasing turned off. This results in a potentially exploitable crash.

< 60.0.2,1

< 56.2.0.13_5

< 52.8.1,1

< 2.49.4

Mozilla Foundation reports:

CVE-2017-7843: Web worker in Private Browsing mode can write IndexedDB data

CVE-2017-7844: Visited history information leak through SVG image

ge 57.0,1 lt 57.0.1,1

< 56.0.2_11,1

< 56.0.s20171130

< 2.49.2

< 52.5.1,1

< 52.5.1,2

Firefox Developers report:

Security researcher Abdulrahman Alqabandi reported that the fetch() API did not correctly implement the Cross-Origin Resource Sharing (CORS) specification, allowing a malicious page to access private data from other origins. Mozilla developer Ben Kelly independently reported the same issue.

< 41.0.2,1

< 41.0.2,1

The Mozilla Project reports:

MFSA 2013-29 Use-after-free in HTML Editor

gt 18.0,1 lt 19.0.2,1

< 17.0.3,1

< 17.0.4,1

< 2.16.1

< 17.0.4

< 2.16.1

gt 11.0 lt 17.0.4

< 10.0.12

The Mozilla Project reports:

MFSA 2013-01 Miscellaneous memory safety hazards (rv:18.0/ rv:10.0.12 / rv:17.0.2)

MFSA 2013-02 Use-after-free and buffer overflow issues found using Address Sanitizer

MFSA 2013-03 Buffer Overflow in Canvas

MFSA 2013-04 URL spoofing in addressbar during page loads

MFSA 2013-05 Use-after-free when displaying table with many columns and column groups

MFSA 2013-06 Touch events are shared across iframes

MFSA 2013-07 Crash due to handling of SSL on threads

MFSA 2013-08 AutoWrapperChanger fails to keep objects alive during garbage collection

MFSA 2013-09 Compartment mismatch with quickstubs returned values

MFSA 2013-10 Event manipulation in plugin handler to bypass same-origin policy

MFSA 2013-11 Address space layout leaked in XBL objects

MFSA 2013-12 Buffer overflow in Javascript string concatenation

MFSA 2013-13 Memory corruption in XBL with XML bindings containing SVG

MFSA 2013-14 Chrome Object Wrapper (COW) bypass through changing prototype

MFSA 2013-15 Privilege escalation through plugin objects

MFSA 2013-16 Use-after-free in serializeToStream

MFSA 2013-17 Use-after-free in ListenerManager

MFSA 2013-18 Use-after-free in Vibrate

MFSA 2013-19 Use-after-free in Javascript Proxy objects

MFSA 2013-20 Mis-issued TURKTRUST certificates

gt 11.0,1 lt 17.0.2,1

< 10.0.12,1

< 17.0.2,1

< 2.15

< 17.0.2

< 2.15

gt 11.0 lt 17.0.2

< 10.0.12

gt 1.9.2.* lt 10.0.12

< 3.14.1

Mozilla Project reports:

MFSA 2010-05 XSS hazard using SVG document and binary Content-Type

MFSA 2010-04 XSS due to window.dialogArguments being readable cross-domain

MFSA 2010-03 Use-after-free crash in HTML parser

MFSA 2010-02 Web Worker Array Handling Heap Corruption Vulnerability

MFSA 2010-01 Crashes with evidence of memory corruption (rv:1.9.1.8/ 1.9.0.18)

gt 3.5.*,1 lt 3.5.8,1

gt 3.*,1 lt 3.0.18,1

< 3.0.18,1

< 3.5.8

gt 2.0.* lt 2.0.3

ge 3.0 lt 3.0.2

The Mozilla Project reports:

MFSA 2012-57 Miscellaneous memory safety hazards (rv:15.0/ rv:10.0.7)

MFSA 2012-58 Use-after-free issues found using Address Sanitizer

MFSA 2012-59 Location object can be shadowed using Object.defineProperty

MFSA 2012-60 Escalation of privilege through about:newtab

MFSA 2012-61 Memory corruption with bitmap format images with negative height

MFSA 2012-62 WebGL use-after-free and memory corruption

MFSA 2012-63 SVG buffer overflow and use-after-free issues

MFSA 2012-64 Graphite 2 memory corruption

MFSA 2012-65 Out-of-bounds read in format-number in XSLT

MFSA 2012-66 HTTPMonitor extension allows for remote debugging without explicit activation

MFSA 2012-67 Installer will launch incorrect executable following new installation

MFSA 2012-68 DOMParser loads linked resources in extensions when parsing text/html

MFSA 2012-69 Incorrect site SSL certificate data display

MFSA 2012-70 Location object security checks bypassed by chrome code

MFSA 2012-71 Insecure use of __android_log_print

MFSA 2012-72 Web console eval capable of executing chrome-privileged code

gt 11.0,1 lt 15.0,1

< 10.0.7,1

< 10.0.7,1

< 2.12

< 10.0.7

< 2.12

gt 11.0 lt 15.0

< 10.0.7

gt 1.9.2.* lt 10.0.7

The Mozilla Project reports:

MFSA-2015-30 Miscellaneous memory safety hazards (rv:37.0 / rv:31.6)

MFSA-2015-31 Use-after-free when using the Fluendo MP3 GStreamer plugin

MFSA-2015-32 Add-on lightweight theme installation approval bypassed through MITM attack

MFSA-2015-33 resource:// documents can load privileged pages

MFSA-2015-34 Out of bounds read in QCMS library

MFSA-2015-35 Cursor clickjacking with flash and images

MFSA-2015-36 Incorrect memory management for simple-type arrays in WebRTC

MFSA-2015-37 CORS requests should not follow 30x redirections after preflight

MFSA-2015-38 Memory corruption crashes in Off Main Thread Compositing

MFSA-2015-39 Use-after-free due to type confusion flaws

MFSA-2015-40 Same-origin bypass through anchor navigation

MFSA-2015-41 PRNG weakness allows for DNS poisoning on Android

MFSA-2015-42 Windows can retain access to privileged content on navigation to unprivileged pages

< 37.0,1

< 31.6.0,1

< 37.0,1

< 2.34

< 31.6.0

< 2.34

< 31.6.0

< 31.6.0

Google Chrome Releases reports:

[583607] High CVE-2016-1624: Buffer overflow in Brotli. Credit to lukezli.

Mozilla Foundation reports:

Security researcher Luke Li reported a pointer underflow bug in the Brotli library's decompression that leads to a buffer overflow. This results in a potentially exploitable crash when triggered.

ge 0.3.0 lt 0.3.0_1

< 0.2.0_2

< 0.3.0_3

< 48.0.2564.109

< 45.0,1

< 2.42

< 38.7.0,1

< 38.7.0

Mozilla Foundation reports:

CVE-2019-11707: Type confusion in Array.pop

A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw.

< 67.0.3,1

< 56.2.11

< 60.7.1,1

The Mozilla Foundation reports:

A use-after-free vulnerability in SVG Animation has been discovered. An exploit built on this vulnerability has been discovered in the wild targeting Firefox and Tor Browser users on Windows.

< 50.0.2,1

< 45.5.1,1

< 45.5.1,2

< 2.46

< 2.46

< 45.5.1

< 45.5.1

< 45.5.1

The Mozilla Project reports:

MFSA 2014-01 Miscellaneous memory safety hazards (rv:27.0 / rv:24.3)

MFSA 2014-02 Clone protected content with XBL scopes

MFSA 2014-03 UI selection timeout missing on download prompts

MFSA 2014-04 Incorrect use of discarded images by RasterImage

MFSA 2014-05 Information disclosure with *FromPoint on iframes

MFSA 2014-06 Profile path leaks to Android system log

MFSA 2014-07 XSLT stylesheets treated as styles in Content Security Policy

MFSA 2014-08 Use-after-free with imgRequestProxy and image proccessing

MFSA 2014-09 Cross-origin information leak through web workers

MFSA 2014-10 Firefox default start page UI content invokable by script

MFSA 2014-11 Crash when using web workers with asm.js

MFSA 2014-12 NSS ticket handling issues

MFSA 2014-13 Inconsistent JavaScript handling of access to Window objects

gt 25.0,1 lt 27.0,1

< 24.3.0,1

< 27.0,1

< 2.24

< 24.3.0

< 2.24

< 24.3.0

Mozilla Foundation reports:

CVE-2018-12386: Type confusion in JavaScript

A vulnerability in register allocation in JavaScript can lead to type confusion, allowing for an arbitrary read and write. This leads to remote code execution inside the sandboxed content process when triggered.

CVE-2018-12387:

A vulnerability where the JavaScript JIT compiler inlines Array.prototype.push with multiple arguments that results in the stack pointer being off by 8 bytes after a bailout. This leaks a memory address to the calling function which can be used as part of an exploit inside the sandboxed content process.

< 62.0.3,1

< 56.2.4

< 2.53.0

< 60.2.2,1

< 60.2.2,2

< 60.2.2

The Mozilla Project reports:

ASN.1 DER decoding of lengths is too permissive, allowing undetected smuggling of arbitrary data

MFSA-2014-90 Apple CoreGraphics framework on OS X 10.10 logging input data to /tmp directory

MFSA-2014-89 Bad casting from the BasicThebesLayer to BasicContainerLayer

MFSA-2014-88 Buffer overflow while parsing media content

MFSA-2014-87 Use-after-free during HTML5 parsing

MFSA-2014-86 CSP leaks redirect data via violation reports

MFSA-2014-85 XMLHttpRequest crashes with some input streams

MFSA-2014-84 XBL bindings accessible via improper CSS declarations

MFSA-2014-83 Miscellaneous memory safety hazards (rv:34.0 / rv:31.3)

< 34.0,1

< 31.3.0,1

< 34.0,1

< 2.31

< 31.3.0

< 2.31

< 31.3.0

< 31.3.0

< 3.17.3

Mozilla Foundation reports:

CVE-2016-2827 - Out-of-bounds read in mozilla::net::IsValidReferrerPolicy [low]

CVE-2016-5256 - Memory safety bugs fixed in Firefox 49 [critical]

CVE-2016-5257 - Memory safety bugs fixed in Firefox 49 and Firefox ESR 45.4 [critical]

CVE-2016-5270 - Heap-buffer-overflow in nsCaseTransformTextRunFactory::TransformString [high]

CVE-2016-5271 - Out-of-bounds read in PropertyProvider::GetSpacingInternal [low]

CVE-2016-5272 - Bad cast in nsImageGeometryMixin [high]

CVE-2016-5273 - crash in mozilla::a11y::HyperTextAccessible::GetChildOffset [high]

CVE-2016-5274 - use-after-free in nsFrameManager::CaptureFrameState [high]

CVE-2016-5275 - global-buffer-overflow in mozilla::gfx::FilterSupport::ComputeSourceNeededRegions [critical]

CVE-2016-5276 - Heap-use-after-free in mozilla::a11y::DocAccessible::ProcessInvalidationList [high]

CVE-2016-5277 - Heap-use-after-free in nsRefreshDriver::Tick [high]

CVE-2016-5278 - Heap-buffer-overflow in nsBMPEncoder::AddImageFrame [critical]

CVE-2016-5279 - Full local path of files is available to web pages after drag and drop [moderate]

CVE-2016-5280 - Use-after-free in mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap [high]

CVE-2016-5281 - use-after-free in DOMSVGLength [high]

CVE-2016-5282 - Don't allow content to request favicons from non-whitelisted schemes [moderate]

CVE-2016-5283 -