Samuel Erb

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 54 Firefox ESR versions prior to 52.2 Thunderbird versions prior to 52.2 **Description** The issue allows characters from the "Canadian Syllabics" unicode block to be mixed with characters from other unicode blocks in the address bar, instead of being rendered as their raw "punycode" form. This can lead to domain name spoofing attacks through character confusion. The current Unicode standard permits characters from "Aspirational Use Scripts" such as Canadian Syllabics to be mixed with Latin characters in the "moderately restrictive" IDN profile. However, the upcoming Unicode version 10.0 removes this category and treats them as "Limited Use Scripts." **Recommendations** For Firefox versions prior to 54, update to version 54 or later to resolve the issue. For Firefox ESR versions prior to 52.2, update to version 52.2 or later to resolve the issue. For Thunderbird versions prior to 52.2, update to version 52.2 or later to resolve the issue.