With the release of Mozilla Firefox 120, 10 vulnerabilities are patched, including six ‘High Severity’ issues and two moderate and low severity issues.
The key changes in Firefox 120 include:
- Global Privacy Control setting
- Import data from Chromium snap
- Option to copy link without site tracking
- Picture-in-Picture (PIP) mode now supports corner snapping on Windows and Linux
- Adds new DevTools feature
- Imports TLS trust anchors
- Improvements in private windows and ETP-Strict privacy configuration.
High Severity Flaws Addressed
The vulnerability is CVE-2023-6204; depending on the graphics settings and drivers, it was possible to cause an out-of-bounds read and leak memory data into images created on the canvas element. JSec of Hayyim Security reported this issue.
The bug, identified as CVE-2023-6205, allowed for the use of a MessagePort after it had already been freed, potentially leading to an exploitable crash. Yangkang of the 360 ATA Team reported this issue.
The CVE-2023-6206 issue, black fade animation while exiting fullscreen, is roughly the length of the anti-clickjacking delay on permission prompts. This fact might be used to surprise consumers by persuading them to click where the permission grant button was due to appear. The issue was reported by Hafiizh.
The flaw tracked as CVE-2023-6207 is a Use-after-free in ReadableByteStreamQueueEntry::Buffer. Yangkang of the 360 ATA Team reported this high-severity issue.
CVE-2023-6212 is a memory safety bug fixed in Firefox 120, ESR 115.5, and Thunderbird 115.5.
In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked. The session will cover: an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway
Firefox 120 has addressed memory safety issues, which is the flaw identified as CVE-2023-6213. Developers for Mozilla reported both of the bugs with high severity.
“Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code”, Mozilla said in its advisory.
Moderate and Low Severity Issues Addressed
Moderate Severity Issues: Using Selection API would copy contents into X11 primary selection (CVE-2023-6208) and Incorrect parsing of relative URLs starting with “///” (CVE-2023-6209).
Low Severity Issues: Mixed-content resources not blocked in a javascript: pop-up (CVE-2023-6210) and Clickjacking to load insecure pages in HTTPS-only mode (CVE-2023-6211).
You can download Firefox for Windows, macOS, or Linux from the Mozilla website.
Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.