Mozilla Firefox Version 95 Released with Security Updates

       Mozilla sent Firefox Version 95.0 to the release channel today.  The update includes thirteen security updates of which six (6) are rated high, five (5) are rated moderate, and two (2) are rated low.

Firefox ESR was updated to Version 91.4.

High

• #CVE-2021-43536: URL leakage when navigating while executing asynchronous function
• #CVE-2021-43537: Heap buffer overflow when using structured clone
• #CVE-2021-43538: Missing fullscreen and pointer lock notification when requesting both
• #CVE-2021-43539: GC rooting failure when calling wasm instance methods
• #MOZ-2021-0010: Use-after-free in fullscreen objects on MacOS
• #MOZ-2021-0009: Memory safety bugs fixed in Firefox 95 and Firefox ESR 91.4

Moderate

• #CVE-2021-43540: WebExtensions could have installed persistent ServiceWorkers
• #CVE-2021-43541: External protocol handler parameters were unescaped
• #CVE-2021-43542: XMLHttpRequest error codes could have leaked the existence of an external protocol handler
• #CVE-2021-43543: Bypass of CSP sandbox directive when embedding
• #CVE-2021-43544: Receiving a malicious URL as text through a SEND intent could have led to XSS

 Low

• #CVE-2021-43545: Denial of Service when using the Location API in a loop
• #CVE-2021-43546: Cursor spoofing could overlay user interface when native cursor is zoomed

New

• RLBox — a new technology that hardens Firefox against potential security vulnerabilities in third-party libraries — is now enabled on all platforms.
• Good news! You can now download Firefox from the Microsoft Store on Windows 10 and Windows 11 platforms.
• We’ve reduced CPU usage on macOS in Firefox and WindowServer during event processing.
• We’ve also reduced the power usage of software decoded video on macOS, especially in fullscreen. This includes streaming sites such as Netflix and Amazon Prime Video.
• You can now move the Picture-in-Picture toggle button to the opposite side of the video. Simply look for the new context menu option Move Picture-in-Picture Toggle to Left (Right) Side.
• To better protect Firefox users against side-channel attacks such as Spectre, Site Isolation is now enabled for all Firefox 95 users.

Fixed

• After starting Firefox, users of the JAWS screen reader and ZoomText magnifier will no longer need to switch applications in order to access Firefox.
• You’ll find the state of controls using the ARIA switch role is now correctly reported by Mac OS VoiceOver.
• You’ll see a faster content process startup on macOS.
• We’ve also made memory allocator improvements.
• And we’ve improved page load performance by speculatively compiling JavaScript ahead of time. 

Changed

• We’ve added a User Agent override for Slack.com, which allows Firefox users to use more Call features and have access to Huddles.

Update: To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

References

• Security Updates
• Release Notes
• Rapid Release Calendar