Mozilla sent Firefox Version 96.0 to the release channel today. The update includes eighteen security updates of which nine (9) are rated high, six (6) are rated moderate, and three (3) are rated low.
Firefox ESR was updated to Version 91.5.
High
- #CVE-2022-22746: Calling into reportValidity could have lead to fullscreen window spoof
- #CVE-2022-22743: Browser window spoof using fullscreen mode
- #CVE-2022-22742: Out-of-bounds memory access when inserting text in edit mode
- #CVE-2022-22741: Browser window spoof using fullscreen mode
- #CVE-2022-22740: Use-after-free of ChannelEventQueue::mOwner
- #CVE-2022-22738: Heap-buffer-overflow in blendGaussianBlur
- #CVE-2022-22737: Race condition when playing audio files
- #CVE-2021-4140: Iframe sandbox bypass with XSLT
- #CVE-2022-22751: Memory safety bugs fixed in Firefox 96 and Firefox ESR 91.5
Moderate
- #CVE-2022-22750: IPC passing of resource handles could have lead to sandbox bypass
- #CVE-2022-22749: Lack of URL restrictions when scanning QR codes
- #CVE-2022-22748: Spoofed origin on external protocol launch dialog
- #CVE-2022-22745: Leaking cross-origin URLs through securitypolicyviolation event
- #CVE-2022-22744: The 'Copy as curl' feature in DevTools did not fully escape website-controlled data, potentially leading to command injection
- #CVE-2022-22752: Memory safety bugs fixed in Firefox 96
Low
- CVE-2022-22747: Crash when handling empty pkcs7 sequence
- #CVE-2022-22736: Potential local privilege escalation when loading modules from the install directory.
- #CVE-2022-22739: Missing throttling on external protocol launch dialog
New
- We’ve made significant improvements in noise-suppression and auto-gain-control as well as slight improvements in echo-cancellation to provide you with a better overall experience.
- We’ve also significantly reduced main-thread load.
- Firefox will now enforce the
Cookie Policy: Same-Site=lax
by default which provides a solid first line of defense against Cross-Site Request Forgery (CSRF) attacks.
Fixed
- On macOS, command-clicking links in Gmail now opens them in a new tab as expected.
- Our newest release fixes an issue where video intermittently drops SSRC.
- It also fixes an issue where WebRTC downgrades screen sharing resolution to provide you with a clearer browsing experience.
- Plus, we’ve fixed video quality degradation issues on certain sites.
- Detached video in fullscreen on macOS has been temporarily disabled to avoid some issues with corruption, brightness changes, missing subtitles and high cpu usage.
Update: To get the update now, select "Help" from the Firefox menu, then pick "About Firefox." Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.
References
No comments:
Post a Comment
Neither spam nor comments containing vulgarities will be approved.