Jose María Acuña

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 56 **Description** The issue is related to the use of the "data:" protocol in Firefox, which can be exploited to create a modal dialog through JavaScript. This allows an attacker to spoof the origin of the modal dialog, making it appear as if it comes from an arbitrary domain. The attack is only successful on installations where e10 multiprocess is turned off, as those with e10s turned on do not support the modal dialog functionality. **Recommendations** For versions prior to 56, update to a version that contains a fix for this issue to prevent the spoofing of the modal dialog's origin. As a temporary workaround, consider disabling the use of modal dialogs in JavaScript until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Thunderbird versions prior to 52.3 Firefox ESR versions prior to 52.3 Firefox versions prior to 55 **Description** The issue is related to the implementation of the "data:" protocol in Mozilla Firefox, Firefox ESR, and the Thunderbird email client. It is associated with errors in the protocol's functioning on pages containing `iframe` elements. Exploitation of this issue may allow a remote attacker to compromise the integrity of protected information. On pages with an `iframe`, the "data:" protocol can be used to create a modal alert that renders over arbitrary domains after page navigation, allowing the spoofing of the origin of the modal alert from the `iframe` content. **Recommendations** For Thunderbird versions prior to 52.3, update to version 52.3 or later. For Firefox ESR versions prior to 52.3, update to version 52.3 or later. For Firefox versions prior to 55, update to version 55 or later.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 53 **Description** The issue is related to a mechanism that allows injecting static HTML into the RSS reader preview page. This is due to a failure to properly escape characters sent as URL parameters for a feed's `TITLE` element. The issue allows for spoofing, but it does not permit the execution of scripted content. **Recommendations** For versions prior to 53, update to version 53 or later to resolve the issue.