Уязвимость функции nsTArray_Impl::ReplaceElementsAt() почтового клиента Thunderbird, браузеров Firefox и Firefox ESR, позволяющая нарушителю выполнить произвольный код

Уязвимость почтового клиента Thunderbird, браузеров Firefox и Firefox ESR, связанная с неправильной обработкой ошибок при обработке недоступного PAC-файла, позволяющая нарушителю задать URL-адрес PAC, и если сервер, на котором размещен PAC, недоступен, запросы OCSP блокируются, что приводит к отображению неверных страниц ошибок

Уязвимость почтового клиента Thunderbird, браузера Firefox ESR, связанная с ошибкой при обработке таблиц стилей CSS, доступных через внутренние URI, как «ресурс:», позволяющая нарушителю обойти реализованную политику безопасности содержимого

Уязвимость браузера Mozilla Firefox, вызванная выходом операции за границы буфера в памяти, позволяющая нарушителю выполнить произвольный код

Уязвимость функции PK11_ChangePW браузера Mozilla Firefox, почтового клиента Thunderbird, позволяющая нарушителю вызвать отказ в обслуживании

Уязвимость почтового клиента Thunderbird, связанная с ошибками при обработке входных данных, позволяющая нарушителю выполнить произвольный JavaScript-код

Уязвимость обработчика JavaScript-сценариев SpiderMonkey браузеров Firefox, Firefox ESR и почтового клиента Thunderbird, позволяющая нарушителю выполнить произвольный код

Уязвимость обработчика JavaScript-сценариев SpiderMonkey браузеров Firefox, Firefox ESR и почтового клиента Thunderbird, позволяющая нарушителю выполнить произвольный код

Уязвимость изолированной среды iframe почтового клиента Thunderbird, позволяющая нарушителю обойти существующие ограничения безопасности

Уязвимость реализации протокола matrix почтового клиента Thunderbird, позволяющая нарушителю выполнить атаку типа «отказ в обслуживании» (DoS)

Уязвимость почтового клиента Thunderbird, связанная с ошибками при обработке входных данных, позволяющая нарушителю обойти существующие ограничения безопасности

Уязвимость реализации технологии XSLT (eXtensible Stylesheet Language Transformations) почтового клиента Thunderbird, браузеров Firefox и Firefox ESR, позволяющая нарушителю повысить свои привилегии

Уязвимость реализации технологии XSLT (eXtensible Stylesheet Language Transformations) браузера Firefox и почтового клиента Thunderbirds, позволяющая нарушителю проводить спуфинг-атаки

Уязвимость веб-браузеров Firefox, Firefox ESR и почтового клиента Thunderbird, связанная с раскрытием информации в ошибочной области данных, позволяющая нарушителю инициировать сетевые запросы

Уязвимость почтового клиента Thunderbird, связанная с некорректными действиями, выполняемыми пользовательским интерфейсом, позволяющая нарушителю выполнить произвольный код

Уязвимость браузеров Mozilla Firefox, Mozilla Firefox ESR и почтового клиента Thunderbird, связанная с копированием буфера без проверки размера входных данных, позволяющая нарушителю выполнить произвольный код

Уязвимость веб-браузеров Firefox, Firefox ESR и почтового клиента Thunderbird, связанная с ошибками представления информации пользовательским интерфейсом, позволяющая нарушителю раскрыть защищаемую информацию

Уязвимость браузеров Firefox, Firefox ESR и почтового клиента Thunderbird, существующая из-за непринятия мер по защите структуры веб-страницы, позволяющая нарушителю раскрыть защищаемую информацию, изменить внешний вид веб-страницы, выполнить фишинговые атаки

Уязвимость реализации конфигурации CSP: base-uri браузеров Firefox, Firefox ESR и почтового клиента Thunderbird, позволяющая нарушителю обойти ограничения безопасности

Уязвимость реализации технологии WASM браузеров Firefox, Firefox ESR и почтового клиента Thunderbird, позволяющая нарушителю вызвать отказ в обслуживании

Уязвимость браузеров Firefox, Firefox ESR и почтового клиента Thunderbird, позволяющая нарушителю обойти ограничение безопасного контекста для файлов cookie с префиксом __Host и __Secure и перезаписать эти файлы

Уязвимость браузеров Firefox, Firefox ESR и почтового клиента Thunderbird, связанная с использованием памяти после ее освобождения, позволяющая нарушителю выполнить произвольный код или вызвать отказ в обслуживании

Уязвимость реализации механизма FeaturePolicy браузеров Firefox, Firefox ESR и почтового клиента Thunderbird, позволяющая нарушителю обойти ограничения безопасности

Уязвимость функции Window.print() браузеров Mozilla Firefox, Firefox ESR и почтового клиента Thunderbird, позволяющая нарушителю вызвать отказ в обслуживании

Уязвимость компонента Garbage Collector («Сборщик мусора») обработчика JavaScript-сценариев JS Engine браузеров Mozilla Firefox, Firefox ESR и почтового клиента Thunderbird, позволяющая нарушителю выполнить произвольный код или вызвать отказ в обслуживании

Уязвимость метода performance.getEntries() браузеров Mozilla Firefox, Firefox ESR и почтового клиента Thunderbird, позволяющая нарушителю обойти ограничения безопасности и получить несанкционированный доступ к защищаемой информации

Уязвимость браузеров Firefox, Firefox ESR и почтового клиента Thunderbird, связанная с ошибками представления информации пользовательским интерфейсом, позволяющая нарушителю проводить спуфинг-атаки

Уязвимость интерфейса InputStream браузеров Firefox, Firefox ESR и почтового клиента Thunderbird, позволяющая нарушителю выполнить произвольный код

Уязвимость браузеров Firefox, Firefox ESR и почтового клиента Thunderbird, связанная с использованием памяти после ее освобождения, позволяющая нарушителю выполнить произвольный код

Уязвимость браузеров Firefox, Firefox ESR и почтового клиента Thunderbird, связана с ошибками представления информации пользовательским интерфейсом, позволяющая нарушителю проводить спуфинг-атаки

Уязвимость компонента Garbage Collector («Сборщик мусора») браузеров Firefox, Firefox ESR и почтового клиента Thunderbird, позволяющая нарушителю выполнить произвольный код

Уязвимость браузеров Firefox, Firefox ESR и почтового клиента Thunderbird, связанная с выходом операции за границы буфера, позволяющая нарушителю вызвать отказ в обслуживании или выполнить произвольный код

Уязвимость службы Service Workers браузеров Firefox, Firefox ESR и почтового клиента Thunderbird, позволяющая нарушителю получить информацию о наличии или длине медиафайла

Уязвимость службы Service Workers браузеров Mozilla Firefox, Firefox ESR и почтового клиента Thunderbird, позволяющая нарушителю обойти существующие ограничения безопасности

Уязвимость браузеров Firefox, Firefox ESR и почтового клиента Thunderbird, связанная с выходом операции за границы буфера в памяти, позволяющая нарушителю выполнить произвольный код

Уязвимость браузеров Mozilla Firefox, Firefox ESR и почтового клиента Thunderbird, связанная с ошибками в настройках безопасности, позволяющая нарушителю раскрыть защищаемую информацию

Уязвимость браузеров Firefox, Firefox ESR и почтового клиента Thunderbird, связанная с выходом операции за границы буфера, позволяющая нарушителю вызвать отказ в обслуживании

Уязвимость реализации метода Trace браузеров Mozilla Firefox, Firefox ESR и почтового клиента Thunderbird, позволяющая нарушителю провести атаку межсайтового скриптинга (XSS)

Уязвимость браузеров Mozilla Firefox, Firefox ESR и почтового клиента Thunderbird, связанная с ошибками представления информации пользовательским интерфейсом, позволяющая нарушителю проводить спуфинг-атаки

Уязвимость изолированной среды iframe браузеров Mozilla Firefox, Firefox ESR и почтового клиента Thunderbird, позволяющая нарушителю проводить спуфинг-атаки

Уязвимость браузеров Mozilla Firefox, Firefox ESR и почтового клиента Mozilla Thunderbird, связанная с недостаточной защитой служебных данных, позволяющая нарушителю обойти ограничения безопасности и получить несанкционированный доступ к защищаемой информации

Уязвимость реализации полноэкранного предупреждающего сообщения браузера Mozilla Firefox, позволяющая нарушителю произвести спуфинговую атаку

Уязвимость библиотеки libusrsctp браузера Mozilla Firefox, позволяющая нарушителю вызвать использование уязвимой библиотеки и произвести атаку на устройство

Уязвимость почтового клиента Thunderbird, связанная с ошибками при проверке подписи S/Mime OSCP-сертификата, позволяющая нарушителю реализовать спуфинг атаку

Уязвимость браузеров Mozilla Firefox и Firefox ESR, связанная с копированием буфера без проверки размера входных данных, позволяющая нарушителю выполнить произвольный код

Уязвимость браузеров Mozilla Firefox и Firefox ESR, связанная с ошибками при интерпретации данных, загруженных несколькими способами, позволяющая нарушителю читать произвольные файлы

Уязвимость браузеров Mozilla Firefox, Mozilla Firefox ESR и почтового клиента Thunderbird, связанная с выходом операции за границы буфера в памяти в процессе некорректного программного рендеринга видео с кодировкой H.264, позволяющая нарушителю выполнить атаку типа «отказ в обслуживании» (DoS)

The ElGamal implementation in Botan through 2.18.1, as used in Thunderbird and other products, allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents can lead to a cross-configuration attack against OpenPGP.

If an object prototype was corrupted by an attacker, they would have been able to set undesired attributes on a JavaScript object, leading to privileged code execution. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.

An OpenPGP digital signature includes information about the date when the signature was created. When displaying an email that contains a digital signature, the email's date will be shown. If the dates were different, then Thunderbird didn't report the email as having an invalid signature. If an attacker performed a replay attack, in which an old email with old contents are resent at a later time, it could lead the victim to believe that the statements in the email are current. Fixed versions of Thunderbird will require that the signature's date roughly matches the displayed date of the email. This vulnerability affects Thunderbird < 102 and Thunderbird < 91.11.

Mozilla developers and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 102. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 102.1, Firefox < 103, and Thunderbird < 102.1.

When receiving an HTML email that contained an iframe element, which used a srcdoc attribute to define the inner HTML document, remote objects specified in the nested document, for example images or videos, were not blocked. Rather, the network was accessed, the objects were loaded and displayed. This vulnerability affects Thunderbird < 102.2.1 and Thunderbird < 91.13.1.

If a Thunderbird user replied to a crafted HTML email containing a meta tag, with the meta tag having the http-equiv="refresh" attribute, and the content attribute specifying an URL, then Thunderbird started a network request to that URL, regardless of the configuration to block remote content. In combination with certain other HTML elements and attributes in the email, it was possible to execute JavaScript code included in the message in the context of the message compose document. The JavaScript code was able to perform actions including, but probably not limited to, read and modify the contents of the message compose document, including the quoted original message, which could potentially contain the decrypted plaintext of encrypted data in the crafted email. The contents could then be transmitted to the network, either to the URL specified in the META refresh tag, or to a different URL, as the JavaScript code could modify the URL specified in the document. This bug doesn't affect users who have changed the default Message Body display setting to 'simple html' or 'plain text'. This vulnerability affects Thunderbird < 102.2.1 and Thunderbird < 91.13.1.

When receiving an HTML email that specified to load an iframe element from a remote location, a request to the remote document was sent. However, Thunderbird didn't display the document. This vulnerability affects Thunderbird < 102.2.1 and Thunderbird < 91.13.1.

When saving or opening an email attachment on macOS, Thunderbird did not set attribute com.apple.quarantine on the received file. If the received file was an application and the user attempted to open it, then the application was started immediately without asking the user to confirm. This vulnerability affects Thunderbird < 102.3.

An attacker could have injected CSS into stylesheets accessible via internal URIs, such as resource:, and in doing so bypass a page's Content Security Policy. This vulnerability affects Firefox ESR < 91.11, Thunderbird < 102, Thunderbird < 91.11, and Firefox < 101.

An out-of-bounds read can occur when decoding H264 video. This results in a potentially exploitable crash. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105.

An iframe that was not permitted to run scripts could do so if the user clicked on a javascript: link. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.

Session history navigations may have led to a use-after-free and potentially exploitable crash. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.

If there was a PAC URL set and the server that hosts the PAC was not reachable, OCSP requests would have been blocked, resulting in incorrect error pages being shown. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.

The ms-msdt, search, and search-ms protocols deliver content to Microsoft applications, bypassing the browser, when a user accepts a prompt. These applications have had known vulnerabilities, exploited in the wild (although we know of none exploited through Thunderbird), so in this release Thunderbird has blocked these protocols from prompting the user to open them.
*This bug only affects Thunderbird on Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.

A malicious website that could create a popup could have resized the popup to overlay the address bar with its own content, resulting in potential user confusion or spoofing attacks.
*This bug only affects Thunderbird for Linux. Other operating systems are unaffected.*. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.

In the nsTArray_Impl::ReplaceElementsAt() function, an integer overflow could have occurred when the number of elements to replace was too large for the container. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.

The Mozilla Fuzzing Team reported potential vulnerabilities present in Thunderbird 91.10. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.

matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. In versions prior to 19.4.0 events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This issue has been fixed in matrix-js-sdk 19.4.0 and users are advised to upgrade. Users unable to upgrade may mitigate this issue by redacting applicable events, waiting for the sync processor to store data, and restarting the client. Alternatively, redacting the applicable events and clearing all storage will often fix most perceived issues. In some cases, no workarounds are possible.

When opening a Windows shortcut from the local filesystem, an attacker could supply a remote path that would lead to unexpected network requests from the operating system.
This bug only affects Firefox for Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox ESR < 102.1, Firefox < 103, and Thunderbird < 102.1.

When visiting directory listings for `chrome://` URLs as source text, some parameters were reflected. This vulnerability affects Firefox ESR < 102.1, Firefox ESR < 91.12, Firefox < 103, Thunderbird < 102.1, and Thunderbird < 91.12.

When combining CSS properties for overflow and transform, the mouse cursor could interact with different coordinates than displayed. This vulnerability affects Firefox ESR < 102.1, Firefox ESR < 91.12, Firefox < 103, Thunderbird < 102.1, and Thunderbird < 91.12.

An attacker could have abused XSLT error handling to associate attacker-controlled content with another origin which was displayed in the address bar. This could have been used to fool the user into submitting data intended for the spoofed origin. This vulnerability affects Thunderbird < 102.2, Thunderbird < 91.13, Firefox ESR < 91.13, Firefox ESR < 102.2, and Firefox < 104.

A cross-origin iframe referencing an XSLT document would inherit the parent domain's permissions (such as microphone or camera access). This vulnerability affects Thunderbird < 102.2, Thunderbird < 91.13, Firefox ESR < 91.13, Firefox ESR < 102.2, and Firefox < 104.

A data race could occur in the PK11_ChangePW function, potentially leading to a use-after-free vulnerability. In Firefox, this lock protected the data when a user changed their master password. This vulnerability affects Firefox ESR < 102.2 and Thunderbird < 102.2.

Mozilla developer Nika Layzell and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 103 and Firefox ESR 102.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 102.2, Thunderbird < 102.2, and Firefox < 104.

Members the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 103, Firefox ESR 102.1, and Firefox ESR 91.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 102.2, Thunderbird < 91.13, Firefox ESR < 91.13, Firefox ESR < 102.2, and Firefox < 104.

Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Starting with version 17.1.0-rc.1, improperly formed beacon events can disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This is patched in matrix-js-sdk v19.7.0. Redacting applicable events, waiting for the sync processor to store data, and restarting the client are possible workarounds. Alternatively, redacting the applicable events and clearing all storage will fix the further perceived issues. Downgrading to an unaffected version, noting that such a version may be subject to other vulnerabilities, will additionally resolve the issue.

Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Prior to version 19.7.0, an attacker cooperating with a malicious homeserver can construct messages appearing to have come from another person. Such messages will be marked with a grey shield on some platforms, but this may be missing in others. This attack is possible due to the matrix-js-sdk implementing a too permissive key forwarding strategy on the receiving end. Starting with version 19.7.0, the default policy for accepting key forwards has been made more strict in the matrix-js-sdk. matrix-js-sdk will now only accept forwarded keys in response to previously issued requests and only from own, verified devices. The SDK now sets a `trusted` flag on the decrypted message upon decryption, based on whether the key used to decrypt the message was received from a trusted source. Clients need to ensure that messages decrypted with a key with `trusted = false` are decorated appropriately, for example, by showing a warning for such messages. This attack requires coordination between a malicious homeserver and an attacker, and those who trust your homeservers do not need a workaround.

Matrix JavaScript SDK is the Matrix Client-Server software development kit (SDK) for JavaScript. Prior to version 19.7.0, an attacker cooperating with a malicious homeserver could interfere with the verification flow between two users, injecting its own cross-signing user identity in place of one of the users’ identities. This would lead to the other device trusting/verifying the user identity under the control of the homeserver instead of the intended one. The vulnerability is a bug in the matrix-js-sdk, caused by checking and signing user identities and devices in two separate steps, and inadequately fixing the keys to be signed between those steps. Even though the attack is partly made possible due to the design decision of treating cross-signing user identities as Matrix devices on the server side (with their device ID set to the public part of the user identity key), no other examined implementations were vulnerable. Starting with version 19.7.0, the matrix-js-sdk has been modified to double check that the key signed is the one that was verified instead of just referencing the key by ID. An additional check has been made to report an error when one of the device ID matches a cross-signing key. As this attack requires coordination between a malicious homeserver and an attacker, those who trust their homeservers do not need a particular workaround.

Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Prior to version 19.7.0, an attacker cooperating with a malicious homeserver can construct messages that legitimately appear to have come from another person, without any indication such as a grey shield. Additionally, a sophisticated attacker cooperating with a malicious homeserver could employ this vulnerability to perform a targeted attack in order to send fake to-device messages appearing to originate from another user. This can allow, for example, to inject the key backup secret during a self-verification, to make a targeted device start using a malicious key backup spoofed by the homeserver. These attacks are possible due to a protocol confusion vulnerability that accepts to-device messages encrypted with Megolm instead of Olm. Starting with version 19.7.0, matrix-js-sdk has been modified to only accept Olm-encrypted to-device messages. Out of caution, several other checks have been audited or added. This attack requires coordination between a malicious home server and an attacker, so those who trust their home servers do not need a workaround.

When injecting an HTML base element, some requests would ignore the CSP's base-uri settings and accept the injected element's base instead. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105.

Inconsistent data in instruction and data cache when creating wasm code could lead to a potentially exploitable crash.
*This bug only affects Firefox on ARM64 platforms.*. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105.

By injecting a cookie with certain special characters, an attacker on a shared subdomain which is not a secure context could set and thus overwrite cookies from a secure context, leading to session fixation and other attacks. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105.

During iframe navigation, certain pages did not have their FeaturePolicy fully initialized leading to a bypass that leaked device permissions into untrusted subdocuments. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105.

Concurrent use of the URL parser with non-UTF-8 data was not thread-safe. This could lead to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105.

Mozilla developers Nika Layzell, Timothy Nikkel, Sebastian Hengst, Andreas Pehrson, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 104 and Firefox ESR 102.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105.

A same-origin policy violation could have allowed the theft of cross-origin URL entries, leaking the result of a redirect, via `performance.getEntries()`. This vulnerability affects Firefox < 106, Firefox ESR < 102.4, and Thunderbird < 102.4.

Certain types of allocations were missing annotations that, if the Garbage Collector was in a specific state, could have lead to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox < 106, Firefox ESR < 102.4, and Thunderbird < 102.4.

If a website called `window.print()` in a particular way, it could cause a denial of service of the browser, which may persist beyond browser restart depending on the user's session restore settings. This vulnerability affects Firefox < 106, Firefox ESR < 102.4, and Thunderbird < 102.4.

Mozilla developers Ashley Hale and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 105 and Firefox ESR 102.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 106, Firefox ESR < 102.4, and Thunderbird < 102.4.

Service Workers should not be able to infer information about opaque cross-origin responses; but timing information for cross-origin media combined with Range requests might have allowed them to determine the presence or length of a media file. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.

Through a series of popup and window.print() calls, an attacker can cause a window to go fullscreen without the user seeing the notification prompt, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.

Freeing arbitrary nsIInputStream's on a different thread than creation could have led to a use-after-free and potentially exploitable crash. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.

If an out-of-memory condition occurred when creating a JavaScript global, a JavaScript realm may be deleted while references to it lived on in a BaseShape. This could lead to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.

Through a series of popups that reuse windowName, an attacker can cause a window to go fullscreen without the user seeing the notification prompt, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.

The garbage collector could have been aborted in several states and zones and GCRuntime::finishCollection may not have been called, leading to a use-after-free and potentially exploitable crash. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.

When a ServiceWorker intercepted a request with FetchEvent, the origin of the request was lost after the ServiceWorker took ownership of it. This had the effect of negating SameSite cookie protections. This was addressed in the spec and then in browsers. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.

Cross-Site Tracing occurs when a server will echo a request back via the Trace method, allowing an XSS attack to access to authorization headers and cookies inaccessible to JavaScript (such as cookies protected by HTTPOnly). To mitigate this attack, browsers placed limits on fetch() and XMLHttpRequest; however some webservers have implemented non-standard headers such as X-Http-Method-Override that override the HTTP method, and made this attack possible again. Thunderbird has applied the same mitigations to the use of this and similar headers. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.

When resolving a symlink such as file:///proc/self/fd/1, an error message may be produced where the symlink was resolved to a string containing unitialized memory in the buffer.
*This bug only affects Thunderbird on Unix-based operated systems (Android, Linux, MacOS). Windows is unaffected.*. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.

If a Thunderbird user quoted from an HTML email, for example by replying to the email, and the email contained either a VIDEO tag with the POSTER attribute or an OBJECT tag with a DATA attribute, a network request to the referenced remote URL was performed, regardless of a configuration to block remote content. An image loaded from the POSTER attribute was shown in the composer window. These issues could have given an attacker additional capabilities when targetting releases that did not yet have a fix for CVE-2022-3033 which was reported around three months ago. This vulnerability affects Thunderbird < 102.5.1.

Keyboard events reference strings like "KeyA" that were at fixed, known, and widely-spread addresses. Cache-based timing attacks such as Prime+Probe could have possibly figured out which keys were being pressed. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.

If a custom mouse cursor is specified in CSS, under certain circumstances the cursor could have been drawn over the browser UI, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.

Use tables inside of an iframe, an attacker could have caused iframe contents to be rendered outside the boundaries of the iframe, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.

Mozilla developers Andrew McCreight and Gabriele Svelto reported memory safety bugs present in Thunderbird 102.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.

An out of date library (libusrsctp) contained vulnerabilities that could potentially be exploited. This vulnerability affects Firefox < 108.

An attacker who compromised a content process could have partially escaped the sandbox to read arbitrary files via clipboard-related IPC messages.
*This bug only affects Thunderbird for Linux. Other operating systems are unaffected.*. This vulnerability affects Firefox < 108, Firefox ESR < 102.6, and Thunderbird < 102.6.

A file with a long filename could have had its filename truncated to remove the valid extension, leaving a malicious extension in its place. This could potentially led to user confusion and the execution of malicious code.
*Note*: This issue was originally included in the advisories for Thunderbird 102.6, but a patch (specific to Thunderbird) was omitted, resulting in it actually being fixed in Thunderbird 102.6.1. This vulnerability affects Firefox < 108, Thunderbird < 102.6.1, Thunderbird < 102.6, and Firefox ESR < 102.6.

The executable file warning was not presented when downloading .atloc and .ftploc files, which can run commands on a user's computer.
*Note: This issue only affected Mac OS operating systems. Other operating systems are unaffected.*. This vulnerability affects Firefox < 108, Firefox ESR < 102.6, and Thunderbird < 102.6.

By confusing the browser, the fullscreen notification could have been delayed or suppressed, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox < 108.

Mozilla developers Randell Jesup, Valentin Gosu, Olli Pettay, and the Mozilla Fuzzing Team reported memory safety bugs present in Thunderbird 102.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 108, Firefox ESR < 102.6, and Thunderbird < 102.6.

A missing check related to tex units could have led to a use-after-free and potentially exploitable crash.
*Note*: This advisory was added on December 13th, 2022 after we better understood the impact of the issue. The fix was included in the original release of Firefox 105. This vulnerability affects Firefox ESR < 102.6, Firefox < 105, and Thunderbird < 102.6.

An optimization in WebGL was incorrect in some cases, and could have led to memory corruption and a potentially exploitable crash. *Note*: This advisory was added on December 13th, 2022 after we better understood the impact of the issue. The fix was included in the original release of Firefox 106. This vulnerability affects Firefox < 106, Firefox ESR < 102.6, and Thunderbird < 102.6.

A use-after-free in WebGL extensions could have led to a potentially exploitable crash. This vulnerability affects Firefox < 107, Firefox ESR < 102.6, and Thunderbird < 102.6.

Certificate OCSP revocation status was not checked when verifying S/Mime signatures. Mail signed with a revoked certificate would be displayed as having a valid signature. Thunderbird versions from 68 to 102.7.0 were affected by this bug. This vulnerability affects Thunderbird < 102.7.1.

Due to the Firefox GTK wrapper code's use of text/plain for drag data and GTK treating all text/plain MIMEs containing file URLs as being dragged a website could arbitrarily read a file via a call to DataTransfer.setData. This vulnerability affects Firefox < 109, Thunderbird < 102.7, and Firefox ESR < 102.7.

When copying a network request from the developer tools panel as a curl command the output was not being properly sanitized and could allow arbitrary commands to be hidden within. This vulnerability affects Firefox < 109, Thunderbird < 102.7, and Firefox ESR < 102.7.

Navigations were being allowed when dragging a URL from a cross-origin iframe into the same tab which could lead to website spoofing attacks. This vulnerability affects Firefox < 109, Thunderbird < 102.7, and Firefox ESR < 102.7.

A mishandled security check when creating a WebSocket in a WebWorker caused the Content Security Policy connect-src header to be ignored. This could lead to connections to restricted origins from inside WebWorkers. This vulnerability affects Firefox < 109, Thunderbird < 102.7, and Firefox ESR < 102.7.

Regular expressions used to filter out forbidden properties and values from style directives in calls to console.log weren't accounting for external URLs. Data could then be potentially exfiltrated from the browser. This vulnerability affects Firefox < 109, Thunderbird < 102.7, and Firefox ESR < 102.7.

Memory safety bugs present in Firefox 108 and Firefox ESR 102.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 109, Thunderbird < 102.7, and Firefox ESR < 102.7.