Ehsan Akhgari

**Name of the Vulnerable Software and Affected Versions** Firefox versions 49 and earlier Firefox ESR versions 45.4 and earlier Thunderbird versions prior to 45.5 **Description** Memory safety bugs were reported, showing evidence of memory corruption. It is presumed that with enough effort, some of these bugs could be exploited to run arbitrary code. **Recommendations** For Firefox versions 49 and earlier, update to version 50 or later. For Firefox ESR versions 45.4 and earlier, update to version 45.5 or later. For Thunderbird versions prior to 45.5, update to version 45.5 or later.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 42.0 Firefox ESR versions prior to 38.4 **Description** The issue is related to improper control of a web worker's ability to create a WebSocket object, allowing remote attackers to bypass intended mixed-content restrictions via crafted JavaScript code. This can be exploited by a remote attacker using specially formed JavaScript code to bypass existing access restrictions. **Recommendations** For Mozilla Firefox versions prior to 42.0, update to version 42.0 or later. For Firefox ESR versions prior to 38.4, update to version 38.4 or later.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 41.0 Firefox ESR versions 38.x prior to 38.3 **Description** The issue is related to errors in security settings, allowing a remote attacker to bypass CORS protection mechanisms. This can be achieved by either duplicating cache-key sequences or retrieving values from an incorrect HTTP Access-Control-* response header. **Recommendations** For Mozilla Firefox versions prior to 41.0, update to version 41.0 or later. For Firefox ESR versions 38.x prior to 38.3, update to version 38.3 or later.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 3.5.14 Mozilla Firefox versions 3.6.x prior to 3.6.11 Thunderbird versions prior to 3.0.9 Thunderbird versions 3.1.x prior to 3.1.5 SeaMonkey versions prior to 2.0.9 **Description** The issue allows local users to gain privileges via a Trojan horse DLL in the current working directory due to an untrusted search path vulnerability. **Recommendations** For Mozilla Firefox versions prior to 3.5.14, update to version 3.5.14 or later. For Mozilla Firefox versions 3.6.x prior to 3.6.11, update to version 3.6.11 or later. For Thunderbird versions prior to 3.0.9, update to version 3.0.9 or later. For Thunderbird versions 3.1.x prior to 3.1.5, update to version 3.1.5 or later. For SeaMonkey versions prior to 2.0.9, update to version 2.0.9 or later.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions 3.5.x through 3.5.10 Mozilla Firefox versions 3.6.x through 3.6.6 Thunderbird versions 3.0.x through 3.0.5 Thunderbird versions 3.1.x through 3.1.0 SeaMonkey versions prior to 2.0.6 **Description** The issue allows remote attackers to cause a denial of service, resulting in memory corruption and application crash, or possibly execute arbitrary code via unknown vectors. **Recommendations** For Mozilla Firefox versions 3.5.x through 3.5.10, update to version 3.5.11 or later. For Mozilla Firefox versions 3.6.x through 3.6.6, update to version 3.6.7 or later. For Thunderbird versions 3.0.x through 3.0.5, update to version 3.0.6 or later. For Thunderbird versions 3.1.x through 3.1.0, update to version 3.1.1 or later. For SeaMonkey versions prior to 2.0.6, update to version 2.0.6 or later.