Cody Crews

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 79.0.3945.79 **Description** The issue is related to insufficient policy enforcement in extensions, allowing a remote attacker to bypass navigation restrictions via a crafted HTML page. This can potentially impact the integrity of data. **Recommendations** For versions prior to 79.0.3945.79, update to version 79.0.3945.79 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 70 Firefox ESR versions prior to 68.2 Thunderbird versions prior to 68.2 **Description** The issue is related to an error in accessing a privileged JSONView object that was cloned into content, allowing a remote attacker to potentially access and compromise confidential data. The vulnerability can be exploited by using a form with a data URI to gain access to the privileged object. Although the impact of exposing this object appears to be minimal, it bypasses existing defense mechanisms. **Recommendations** For Firefox versions prior to 70, update to version 70 or later to resolve the issue. For Firefox ESR versions prior to 68.2, update to version 68.2 or later to resolve the issue. For Thunderbird versions prior to 68.2, update to version 68.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 25.0 Mozilla Firefox ESR versions 24.x prior to 24.1 **Description** The issue allows remote attackers to read arbitrary files or execute arbitrary JavaScript code with chrome privileges by using an IFRAME element within an embedded PDF object. This is due to the improper handling of the appending of an IFRAME element by PDF.js in Mozilla Firefox. **Recommendations** For Mozilla Firefox versions prior to 25.0, update to version 25.0 or later. For Mozilla Firefox ESR versions 24.x prior to 24.1, update to version 24.1 or later.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 21.0 Firefox ESR 17.x versions prior to 17.0.6 Thunderbird versions prior to 17.0.6 Thunderbird ESR 17.x versions prior to 17.0.6 **Description** The issue allows remote attackers to bypass certain read-only restrictions and conduct cross-site scripting (XSS) attacks via a crafted web site, due to the Chrome Object Wrapper (COW) implementation not preventing acquisition of chrome privileges during calls to content level constructors. **Recommendations** For Mozilla Firefox versions prior to 21.0, update to version 21.0 or later. For Firefox ESR 17.x versions prior to 17.0.6, update to version 17.0.6 or later. For Thunderbird versions prior to 17.0.6, update to version 17.0.6 or later. For Thunderbird ESR 17.x versions prior to 17.0.6, update to version 17.0.6 or later.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 20.0 Firefox ESR 17.x versions prior to 17.0.5 Thunderbird versions prior to 17.0.5 Thunderbird ESR 17.x versions prior to 17.0.5 SeaMonkey versions prior to 2.17 **Description** The issue allows remote attackers to bypass the Same Origin Policy or possibly execute arbitrary JavaScript code with chrome privileges via a crafted web site. This is due to the System Only Wrapper (SOW) implementation not preventing the use of the `cloneNode` method for cloning a protected node. **Recommendations** For Mozilla Firefox versions prior to 20.0, update to version 20.0 or later. For Firefox ESR 17.x versions prior to 17.0.5, update to version 17.0.5 or later. For Thunderbird versions prior to 17.0.5, update to version 17.0.5 or later. For Thunderbird ESR 17.x versions prior to 17.0.5, update to version 17.0.5 or later. For SeaMonkey versions prior to 2.17, update to version 2.17 or later.