Mozilla Releases Security Updates for Firefox 111 and Firefox ESR 102.9 - 20230316002

Overview

Mozilla has released security updates to address vulnerabilities in Firefox 111 and Firefox ESR 102.9. An attacker could exploit some of these vulnerabilities to take control of an affected system.

What is the vulnerability?

• CVE-2023-28159 - Fullscreen Notification could have been hidden by download popups on Android
• CVE-2023-25748 - Fullscreen Notification could have been hidden by window prompts on Android
• CVE-2023-25749 - Firefox for Android may have opened third-party apps without a prompt
• CVE-2023-25750 - Potential ServiceWorker cache leak during private browsing mode
• CVE-2023-25751 - Incorrect code generation during JIT compilation
• CVE-2023-28160 - Redirect to Web Extension files may have leaked local path
• CVE-2023-28164 - URL being dragged from a removed cross-origin iframe into the same tab triggered navigation
• CVE-2023-28161 - One-time permissions granted to a local file were extended to other local files loaded in the same tab
• CVE-2023-28162 - Invalid downcast in Worklets
• CVE-2023-25752 - Potential out-of-bounds when accessing throttled streams
• CVE-2023-28163 - Windows Save As dialog resolved environment variables
• CVE-2023-28176 - Memory safety bugs fixed in Firefox 111 and Firefox ESR 102.9
• CVE-2023-28177 - Memory safety bugs fixed in Firefox 111

What is vulnerable?

The vulnerability affects the following products:

• Firefox versions prior to 111 and Firefox ESR versions prior to 102.9

Recommendation

The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected products.