Loobenyang

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 48.0 Firefox ESR versions prior to 45.3 **Description** The issue is related to a use-after-free vulnerability in the WebRTC socket thread, allowing remote attackers to execute arbitrary code by leveraging incorrect free operations on DTLS objects during the shutdown of a WebRTC session. This occurs due to the incorrect use of memory after it has been freed. **Recommendations** For Mozilla Firefox versions prior to 48.0, update to version 48.0 or later to resolve the issue. For Firefox ESR versions prior to 45.3, update to version 45.3 or later to resolve the issue. As a temporary workaround, consider disabling WebRTC functionality until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 46.0 **Description** The issue is related to a race condition in the get implementation of the ServiceWorkerManager class in the Service Worker subsystem. This condition arises due to insufficient checking of the resource state when it can be shared. Exploitation of this issue may allow a remote attacker to execute arbitrary code or cause a denial of service, such as a buffer overflow leading to an application crash, by using a specially crafted web site. **Recommendations** For versions prior to 46.0, update to version 46.0 or later to resolve the issue. As a temporary workaround, consider restricting access to potentially vulnerable web sites to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 45.0 **Description** The issue is related to the ServiceWorkerManager class and can be exploited by remote attackers to execute arbitrary code or cause a denial of service, resulting in out-of-bounds read and memory corruption. This is achieved through unspecified use of the Clients API. **Recommendations** For versions prior to 45.0, update to version 45.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of the Clients API until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 43.0 Firefox ESR versions 38.x prior to 38.5 **Description** The issue is related to a use-after-free vulnerability, which occurs when memory is accessed after it has been freed. This can be exploited by a remote attacker to execute arbitrary code when attempting to use a data channel that has been closed by a WebRTC function. **Recommendations** For Mozilla Firefox versions prior to 43.0, update to version 43.0 or later to resolve the issue. For Firefox ESR versions 38.x prior to 38.5, update to version 38.5 or later to resolve the issue. As a temporary workaround, consider disabling WebRTC functions until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 41.0 **Description** The issue is related to a race condition in the WorkerPrivate::NotifyFeatures function, which can be exploited by remote attackers to execute arbitrary code or cause a denial of service. This is due to improper interaction between shared workers and the IndexedDB implementation, leading to use-after-free and application crash. **Recommendations** For versions prior to 41.0, update to version 41.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 40.0 Mozilla Firefox ESR versions prior to 38.2 **Description** A use-after-free issue in the XMLHttpRequest::Open implementation might allow remote attackers to execute arbitrary code via a SharedWorker object that makes recursive calls to the open method of an XMLHttpRequest object. This could potentially lead to the execution of arbitrary code. **Recommendations** For Mozilla Firefox versions prior to 40.0, update to version 40.0 or later. For Mozilla Firefox ESR versions prior to 38.2, update to version 38.2 or later.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 39.0 Mozilla Firefox ESR versions prior to 31.8 Mozilla Firefox ESR versions prior to 38.1 **Description** The issue is related to a use-after-free vulnerability in the CanonicalizeXPCOMParticipant function. This vulnerability can be exploited by a remote attacker to execute arbitrary code by manipulating the `XMLHttpRequest` function, specifically by attaching an `XMLHttpRequest` object to a shared worker. **Recommendations** For Mozilla Firefox versions prior to 39.0, update to version 39.0 or later. For Mozilla Firefox ESR versions prior to 31.8, update to version 31.8 or later. For Mozilla Firefox ESR versions prior to 38.1, update to version 38.1 or later. As a temporary workaround, consider restricting the use of the `XMLHttpRequest` function in shared workers until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 39.0 Firefox ESR versions prior to 31.8 Firefox ESR versions prior to 38.1 **Description** The issue is related to a use-after-free vulnerability in the CanonicalizeXPCOMParticipant function. This vulnerability can be exploited by a remote attacker to execute arbitrary code by manipulating the `XMLHttpRequest` function, specifically by attaching an `XMLHttpRequest` object to a dedicated worker. **Recommendations** For Mozilla Firefox versions prior to 39.0, update to version 39.0 or later. For Firefox ESR versions prior to 31.8, update to version 31.8 or later. For Firefox ESR versions prior to 38.1, update to version 38.1 or later.