Anne Van Kesteren

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 113 Firefox ESR (affected versions not specified) **Description** The issue is related to a lack of protection for service worker data, which could allow a remote attacker to disclose protected information through the use of dynamic `import()`. This affects Firefox and Firefox ESR browsers. **Recommendations** For Firefox versions prior to 113, update to version 113 or later to resolve the issue. For Firefox ESR, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 107 Firefox ESR versions prior to 102.5 Thunderbird versions prior to 102.5 **Description** The issue is related to Service Workers in browsers, which could allow a remote attacker to infer information about the presence or length of a media file by exploiting timing information for cross-origin media combined with Range requests. **Recommendations** For Firefox versions prior to 107, update to version 107 or later. For Firefox ESR versions prior to 102.5, update to version 102.5 or later. For Thunderbird versions prior to 102.5, update to version 102.5 or later.

**Name of the Vulnerable Software and Affected Versions** Firefox ESR versions prior to 78.1 Firefox versions prior to 79 Thunderbird versions prior to 78.1 **Description** A security issue was found in the iframe sandbox element with the allow-popups flag, which could be bypassed when using noopener links. This could lead to security problems for websites that rely on sandbox configurations allowing popups and hosting arbitrary content. The vulnerability is related to incorrect default access permission settings. **Recommendations** For Firefox ESR versions prior to 78.1, update to version 78.1 or later. For Firefox versions prior to 79, update to version 79 or later. For Thunderbird versions prior to 78.1, update to version 78.1 or later.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 66 Firefox ESR versions prior to 60.6 Thunderbird versions prior to 60.6 **Description** The issue is related to memory safety bugs and buffer copying without checking the size of input data, which could potentially be exploited to run arbitrary code. This may lead to memory corruption. **Recommendations** For Firefox versions prior to 66, update to version 66 or later. For Firefox ESR versions prior to 60.6, update to version 60.6 or later. For Thunderbird versions prior to 60.6, update to version 60.6 or later.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 55 **Description** The issue is related to the lack of same-origin protections for response header name interning, allowing stored header names to be available cross-origin. This could potentially enable a remote attacker to gain unauthorized access to protected information. **Recommendations** For versions prior to 55, update to a version 55 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive information until the update can be applied.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions 4.x through 11.0 Firefox ESR versions 10.x before 10.0.4 Thunderbird versions 5.0 through 11.0 Thunderbird ESR versions 10.x before 10.0.4 SeaMonkey versions prior to 2.9 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via a multibyte character set. This can be exploited by remote attackers. **Recommendations** For Mozilla Firefox versions 4.x through 11.0, update to a version after 11.0. For Firefox ESR versions 10.x before 10.0.4, update to version 10.0.4 or later. For Thunderbird versions 5.0 through 11.0, update to a version after 11.0. For Thunderbird ESR versions 10.x before 10.0.4, update to version 10.0.4 or later. For SeaMonkey versions prior to 2.9, update to version 2.9 or later.