Mozilla sent Firefox Version 48.0.0 to the release channel today. The update is a major release and includes three (3) critical, seven (7) high, eleven (11) moderate and two (2) low security updates.
The next scheduled release is September 13, 2016.
Firefox ESR will continue to ship point releases on the same day that Firefox ships and can be downloaded from here and has been updated to Version 45.3.0.
Fixed in Firefox 48
- 2016-84 Information disclosure through Resource Timing API during page navigation
- 2016-83 Spoofing attack through text injection into internal error pages
- 2016-82 Addressbar spoofing with right-to-left characters on Firefox for Android
- 2016-81 Information disclosure and local file manipulation through drag and drop
- 2016-80 Same-origin policy violation using local HTML file and saved shortcut file
- 2016-79 Use-after-free when applying SVG effects
- 2016-78 Type confusion in display transformation
- 2016-77 Buffer overflow in ClearKey Content Decryption Module (CDM) during video playback
- 2016-76 Scripts on marquee tag can execute in sandboxed iframes
- 2016-75 Integer overflow in WebSockets during data buffering
- 2016-74 Form input type change from password to text can store plain text password in session restore file
- 2016-73 Use-after-free in service workers with nested sync events
- 2016-72 Use-after-free in DTLS during WebRTC session shutdown
- 2016-70 Use-after-free when using alt key and toplevel menus /li>
- 2016-69 Arbitrary file manipulation by local user through Mozilla updater and callback application path parameter
- 2016-68 Out-of-bounds read during XML parsing in Expat library
- 2016-67 Stack underflow during 2D graphics rendering
- 2016-66 Location bar spoofing via data URLs with malformed/invalid mediatypes
- 2016-65 Cairo rendering crash due to memory allocation issue with FFMpeg 0.10
- 2016-64 Buffer overflow rendering SVG with bidirectional content
- 2016-63 Favicon network connection can persist when page is closed
- 2016-62 Miscellaneous memory safety hazards (rv:48.0 / rv:45.3)
- Roar for moar protection against harmful downloads! We've got your back. Thanks to Google’s expansion of their Safe Browsing service, Firefox 48 now extends our existing protection to include two additional kinds of downloads: potentially unwanted software and uncommon downloads.
- Process separation (e10s) is enabled for some of you. Like it? Let us know and we'll roll it out to more.
- Add-ons that have not been verified and signed by Mozilla will not load
- GNU/Linux fans: Get better Canvas performance with speedy Skia support. Try saying that three times fast
- WebRTC embetterments:
- Delay-agnostic AEC enabled
- Full duplex for GNU/Linux enabled
- ICE Restart & Update is supported
- Cloning of MediaStream and MediaStreamTrack is now supported
- Searching for something already in your bookmarks or open tabs? We added super smart icons to let you know
- Windows folks: Tab (move buttons) and Shift+F10 (pop-up menus) now behave as they should in Firefox customization mode
- The media parser has been redeveloped using the Rust programming language
- So long to support for 10.6, 10.7 and 10.8. Now we can focus on where most Mac users are: 10.9. Don't forget to upgrade!
- After version 48, SSE2 CPU extensions are going to be required on Windows
- Au revoir to Windows Remote Access Service modem Autodial
- Heyo, Jabra & Logitech C920 webcam users. We fixed those pesky WebRTC bugs causing frequency distortions. Buh-bye, squeaky voice!
- Improved step debugging on last line of functions
- On some websites using an important number of cookies, under certain conditions, this can cause the user to be logged out (1264192)