Mozilla has released Firefox 127, addressing 15 security vulnerabilities, some of which have been rated as high impact.
This update is crucial for users to ensure their browsing experience remains secure.
Below is a detailed breakdown of the vulnerabilities fixed in this release.
CVE-2024-5687: An Incorrect Principal Could Have Been Used When Opening New Tabs
Reporter: jackyzy823
Impact: High
Description: When opening a new tab, a specific sequence of actions could result in an incorrect triggering principle.
This principle is crucial for calculating values like the Referer and Sec- headers, potentially leading to incorrect security checks and misleading information sent to remote websites.
This bug affects only Firefox for Android.
References: Bug 1889066
CVE-2024-5688: Use-After-Free in JavaScript Object Transplant
Reporter: Lukas Bernhard
Impact: High
Description: A use-after-free vulnerability could occur during object transplant if garbage collection is triggered correctly.
References: Bug 1895086
Analyze any MaliciousURL, Files & Emails & Configuration With ANY RUN : Start your Analysis
CVE-2024-5689: User Confusion and Possible Phishing Vector via Firefox Screenshots
Reporter: Fabian Fäßler
Impact: Moderate
Description: A website could overlay the ‘My Shots’ button that appears when a user takes a screenshot, directing them to a replica Firefox Screenshots page, potentially used for phishing.
References: Bug 1389707
CVE-2024-5690: External Protocol Handlers Leaked by Timing Attack
Reporter: Satoki Tsuji
Impact: Moderate
Description: An attacker could guess which external protocol handlers were functional on a user’s system by monitoring the time certain operations take.
References: Bug 1883693
CVE-2024-5691: Sandboxed Iframes Bypassing Sandbox Restrictions to Open a New Window
Reporter: Luan Herrera
Impact: Moderate
Description: A sandboxed iframe could bypass restrictions to open a new window by tricking the browser with an X-Frame-Options header.
References: Bug 1888695
CVE-2024-5692: Bypass of File Name Restrictions During Saving
Reporters: Raphael Shaniyazov and Axel Chong (@Haxatron)
Impact: Moderate
Description: An attacker could trick the browser into saving a file with a disallowed extension on Windows by including an invalid character.
This issue only affects Windows operating systems.
References: Bug 1891234, Bug 1837514
CVE-2024-5693: Cross-Origin Image Leak via Offscreen Canvas
Reporter: Kirtikumar Anandrao Ramchandani
Impact: Moderate
Description: Offscreen Canvas did not correctly track cross-origin tainting, allowing access to image data from another site, violating the same-origin policy.
References: Bug 1891319
CVE-2024-5694: Use-After-Free in JavaScript Strings
Reporter: Lukas Bernhard
Impact: Moderate
Description: An attacker could cause a use-after-free in the JavaScript engine to read memory in the JavaScript string section of the heap.
References: Bug 1895055
CVE-2024-5695: Memory Corruption Using Allocation Under Out-of-Memory Conditions
Reporter: Irvan Kurniawan
Impact: Moderate
Description: An out-of-memory condition during allocations in the probabilistic heap checker could trigger an assertion, potentially leading to memory corruption.
References: Bug 1895579
CVE-2024-5696: Memory Corruption in Text Fragments
Reporter: Irvan Kurniawan
Impact: Moderate
Description: Manipulating text in a tag could cause memory corruption, leading to a potentially exploitable crash.
References: Bug 1896555
CVE-2024-5697: Website Able to Detect When Firefox Takes a Screenshot
Reporter: Wil Clouser
Impact: Low
Description: A website could detect when a user took a screenshot using Firefox’s built-in Screenshot functionality.
References: Bug 1414937
CVE-2024-5698: Data-List Could Overlay Address Bar
Reporter: Hafiizh
Impact: Low
Description: By manipulating the fullscreen feature while opening a data-list, an attacker could overlay a text box over the address bar, leading to user confusion and possible spoofing attacks.
References: Bug 1828259
CVE-2024-5699: Cookie Prefixes Not Treated as Case-Sensitive
Reporter: Konstantin Preißer
Impact: Low
Description: Cookie prefixes such as __Secure were ignored if not correctly capitalized, violating the spec that requires case-insensitive comparison.
References: Bug 1891349
CVE-2024-5700: Memory Safety Bugs Fixed in Firefox 127, Firefox ESR 115.12, and Thunderbird 115.12
Reporter: The Mozilla Fuzzing Team
Impact: High
Description: Memory safety bugs present in Firefox 126, Firefox ESR 115.11, and Thunderbird 115.11 showed evidence of memory corruption, which could potentially be exploited to run arbitrary code.
References: Memory safety bugs fixed in Firefox 127, Firefox ESR 115.12, and Thunderbird 115.12
CVE-2024-5701: Memory Safety Bugs Fixed in Firefox 127
Reporters: Randell Jesup and the Mozilla Fuzzing Team
Impact: High
Description: Memory safety bugs in Firefox 126 showed evidence of memory corruption, potentially exploitable to run arbitrary code.
References: Memory safety bugs fixed in Firefox 127.
Mozilla urges all users to update to Firefox 127 to ensure their browsers are protected against these vulnerabilities.
Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs:
Try Free Demo