Esmedudoit

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 49.0 Firefox ESR versions 45.x prior to 45.4 Thunderbird versions prior to 45.4 **Description** The issue exists due to insufficient input validation, allowing a remote attacker to spoof add-on updates by leveraging an X.509 server certificate for addons.mozilla.org signed by an arbitrary built-in Certification Authority. This can be achieved by exploiting unintended expiration dates for Preloaded Public Key Pinning. **Recommendations** For Mozilla Firefox versions prior to 49.0, update to version 49.0 or later to resolve the issue. For Firefox ESR versions 45.x prior to 45.4, update to version 45.4 or later to resolve the issue. For Thunderbird versions prior to 45.4, update to version 45.4 or later to resolve the issue.