Mozilla Firefox Version 94 Released with Security Updates

      Mozilla sent Firefox Version 94.0 to the release channel today.  The update includes thirteen security updates of which seven (7) are rated high, four (4) are rated moderate, and two (2) are rated low.

Firefox ESR was updated to Version 91.3.

High

• CVE-2021-38503: iframe sandbox rules did not apply to XSLT stylesheets
• CVE-2021-38504: Use-after-free in file picker dialog
• CVE-2021-38505: Windows 10 Cloud Clipboard may have recorded sensitive user data
• CVE-2021-38506: Firefox could be coaxed into going into fullscreen mode without notification or warning
• CVE-2021-38507: Opportunistic Encryption in HTTP2 could be used to bypass the Same-Origin-Policy on services hosted on other ports
• MOZ-2021-0003: Universal XSS in Firefox for Android via QR Code URLs
• MOZ-2021-0007: Memory safety bugs fixed in Firefox 94 and Firefox ESR 91.3

Moderate

• CVE-2021-38508: Permission Prompt could be overlaid, resulting in user confusion and potential spoofing
• MOZ-2021-0004: Web Extensions could access pre-redirect URL when their context menu was triggered by a user
• CVE-2021-38509: Javascript alert box could have been spoofed onto an arbitrary domain
• CVE-2021-38510: Download Protections were bypassed by .inetloc files on Mac OS

Low

• MOZ-2021-0005: 'Copy Image Link' context menu action could have been abused to see authentication tokens
• MOZ-2021-0006: URL Parsing may incorrectly parse internationalized domains

New

• 
  
  

 

With 94, you’ll find a selection of six fun seasonal Colorways (available for a limited time only). Now you can find a color to suit (or lift) your every mood.
Fun fact: Did you know we have more daily users with color themes than dark or Alpenglow on Beta? With Firefox 89, 32% of users clicked through to customize their color theme. And that was just on the first day! We decided to introduce these new Colorways to give our users more to love.Firefox macOS now uses Apple's low power mode for fullscreen video on YouTube and Twitch. This meaningfully extends battery life in long viewing sessions. Now your kids can find out what the fox says on a loop without you ever missing a beat…

• With this release, power users can use about:unloads to release system resources by manually unloading tabs without closing them.
• On Windows, there will now be fewer interruptions because Firefox won’t prompt you for updates. Instead, a background agent will download and install updates even if Firefox is closed.
• To better protect all Firefox users against side-channel attacks such as Spectre, we’ve introduced Site Isolation. We’ve got your back...errr...side!
• We’re rolling out the Firefox Multi-Account Containers extension with Mozilla VPN integration. This lets you use a different server location for each container.
• Firefox no longer warns you by default when you exit the browser or close a window using a menu, button, or three-key command. This should cut back on unwelcome notifications which is always nice--however, if you prefer a bit of notice, you’ll still have full control over the quit/close modal behavior. All warnings can be managed within Firefox Settings. No worries! (More details)
• And now, Firefox supports the new Snap Layouts menus when running on Windows 11.

Fixed

• We’ve reduced the overhead of using performance.mark() and performance.measure() APIs with a large set of performance entries.
• Plus, we’ve modified paint suppression during load to greatly improve warmload performance in Site Isolation mode.
• You’ll also notice a small reduction in Javascript memory usage.
• With this release, you’ll notice faster Javascript property enumeration as well.
• We’ve also implemented better scheduling of garbage collection which has improved some pageload benchmarks.
• This release also sees reduced CPU usage during socket polling for HTTPS connections.
• Additionally, you’ll notice faster storage initialization.
• We’ve also improved cold startup by reducing main thread I/O.
• Plus, closing devtools now reclaims more memory than ever before.
• And we’ve improved pageload (especially with Site Isolation mode) by setting a higher priority for loading and displaying images.

Update To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

References

• Security Updates
• Release Notes
• Rapid Release Calendar