Armin Ebert

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 117 Firefox ESR versions prior to 115.4 Thunderbird versions prior to 115.4.1 **Description** The issue is related to errors in the representation of information in the user interface, allowing an attacker to conduct spoofing attacks using a specially crafted link. This can be achieved by creating a malicious link using bidirectional characters to spoof the location in the address bar when visited. **Recommendations** For Firefox versions prior to 117, update to version 117 or later to resolve the issue. For Firefox ESR versions prior to 115.4, update to version 115.4 or later to resolve the issue. For Thunderbird versions prior to 115.4.1, update to version 115.4.1 or later to resolve the issue. As a temporary workaround, consider avoiding the use of bidirectional characters in links until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 107 Firefox ESR versions prior to 102.5 Thunderbird versions prior to 102.5 **Description** The issue is related to the resolution of a symlink, such as `file:///proc/self/fd/1`, which may produce an error message containing uninitialized memory in the buffer. This affects Unix-based operating systems, including Android, Linux, and MacOS, but does not affect Windows. **Recommendations** For Firefox versions prior to 107, update to version 107 or later. For Firefox ESR versions prior to 102.5, update to version 102.5 or later. For Thunderbird versions prior to 102.5, update to version 102.5 or later.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 106 **Description** The issue is related to synchronization errors when using a shared resource, which could allow a remote attacker to disclose protected information. A data race could occur in the `ThirdPartyUtil` component if two Workers were simultaneously initializing their CacheStorage. **Recommendations** For versions prior to 106, update to version 106 or later to resolve the issue. As a temporary workaround, consider restricting access to shared resources to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 107 **Description** The issue is related to the use of the `FontFace()` function on a background worker, which could lead to a use-after-free condition and result in a potentially exploitable crash. This condition occurs when memory is accessed after it has been freed, potentially allowing a remote attacker to cause a denial of service. **Recommendations** For versions prior to 107, update to version 107 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `FontFace()` function on background workers until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 105 Firefox ESR versions prior to 102.3 Thunderbird versions prior to 102.3 **Description** The issue is related to the concurrent use of the URL parser with non-UTF-8 data, which is not thread-safe. This could lead to a use-after-free causing a potentially exploitable crash. The vulnerability may allow a remote attacker to execute arbitrary code or cause a denial of service. **Recommendations** For Firefox versions prior to 105, update to version 105 or later. For Firefox ESR versions prior to 102.3, update to version 102.3 or later. For Thunderbird versions prior to 102.3, update to version 102.3 or later.

**Name of the Vulnerable Software and Affected Versions** Firefox ESR versions 102.2 and earlier Thunderbird versions 102.2 and earlier Firefox versions 104 and earlier **Description** The issue is related to the implementation of the FeaturePolicy mechanism in Firefox, Firefox ESR, and Thunderbird, which is associated with incorrect restriction of visualizable layers or frames of the user interface. During iframe navigation, certain pages did not have their FeaturePolicy fully initialized, leading to a bypass that leaked device permissions into untrusted subdocuments. This could allow a remote attacker to bypass security restrictions. **Recommendations** For Firefox ESR versions 102.2 and earlier, update to version 102.3 or later. For Thunderbird versions 102.2 and earlier, update to version 102.3 or later. For Firefox versions 104 and earlier, update to version 105 or later.

**Name of the Vulnerable Software and Affected Versions** Thunderbird versions prior to 102.2 Thunderbird versions prior to 91.13 Firefox ESR versions prior to 91.13 Firefox ESR versions prior to 102.2 Firefox versions prior to 104 **Description** An attacker could have abused XSLT error handling to associate attacker-controlled content with another origin which was displayed in the address bar. This could have been used to fool the user into submitting data intended for the spoofed origin. **Recommendations** For Thunderbird versions prior to 102.2, update to version 102.2 or later. For Thunderbird versions prior to 91.13, update to version 91.13 or later. For Firefox ESR versions prior to 91.13, update to version 91.13 or later. For Firefox ESR versions prior to 102.2, update to version 102.2 or later. For Firefox versions prior to 104, update to version 104 or later.

**Name of the Vulnerable Software and Affected Versions** Thunderbird versions prior to 102.2 Thunderbird versions prior to 91.13 Firefox ESR versions prior to 91.13 Firefox ESR versions prior to 102.2 Firefox versions prior to 104 **Description** The issue is related to the implementation of XSLT technology in Thunderbird and Firefox browsers, which allows a cross-origin iframe referencing an XSLT document to inherit the parent domain's permissions, such as microphone or camera access. This could potentially allow a remote attacker to elevate their privileges. **Recommendations** For Thunderbird versions prior to 102.2, update to version 102.2 or later. For Thunderbird versions prior to 91.13, update to version 91.13 or later. For Firefox ESR versions prior to 91.13, update to version 91.13 or later. For Firefox ESR versions prior to 102.2, update to version 102.2 or later. For Firefox versions prior to 104, update to version 104 or later.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 102 Firefox ESR versions prior to 91.11 Thunderbird versions prior to 102 Thunderbird versions prior to 91.11 **Description** The issue is related to a use-after-free error in the `nsSHistory` function, potentially leading to a crash and allowing a remote attacker to execute arbitrary code. This error occurs when handling session history navigations and may be exploitable. **Recommendations** For Firefox versions prior to 102, update to version 102 or later. For Firefox ESR versions prior to 91.11, update to version 91.11 or later. For Thunderbird versions prior to 102, update to version 102 or later. For Thunderbird versions prior to 91.11, update to version 91.11 or later.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 102 **Description** The issue is related to errors in HTML sanitization. It may allow a remote attacker to compromise the integrity of protected information. The HTML Sanitizer incorrectly failed to sanitize `xlink:href` attributes of SVG `<use>` tags. **Recommendations** For versions prior to 102, update to version 102 or later to resolve the issue. As a temporary workaround, consider restricting the use of SVG `<use>` tags with `xlink:href` attributes until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 102 Firefox ESR versions prior to 91.11 Thunderbird versions prior to 102 Thunderbird versions prior to 91.11 **Description** The issue is related to errors in handling the Content Security Policy (CSP) header without the 'allow scripts' parameter. This could allow a remote attacker to bypass the implemented CSP restriction and execute arbitrary scripts using a specially crafted link, if the user clicks on a `javascript:` link. An iframe that was not permitted to run scripts could do so under these conditions. **Recommendations** For Firefox versions prior to 102: Update to version 102 or later. For Firefox ESR versions prior to 91.11: Update to version 91.11 or later. For Thunderbird versions prior to 102: Update to version 102 or later. For Thunderbird versions prior to 91.11: Update to version 91.11 or later.

**Name of the Vulnerable Software and Affected Versions** Thunderbird versions prior to 91.9 Firefox ESR versions prior to 91.9 Firefox versions prior to 100 **Description** Documents in deeply-nested cross-origin browsing contexts could have obtained permissions granted to the top-level origin, bypassing the existing prompt and wrongfully inheriting the top-level permissions. The vulnerability is related to insufficient access control and can be exploited by a remote attacker to bypass existing security restrictions. **Recommendations** For Thunderbird versions prior to 91.9, update to version 91.9 or later. For Firefox ESR versions prior to 91.9, update to version 91.9 or later. For Firefox versions prior to 100, update to version 100 or later.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 98 Mozilla Firefox ESR versions prior to 91.7 Mozilla Thunderbird versions prior to 91.7 **Description** The issue is related to a race condition when checking signatures, allowing a remote attacker to replace the base add-on file with a malicious one while the user is confirming the installation prompt. This could lead to the installation of a malicious add-on in the system. **Recommendations** For Mozilla Firefox versions prior to 98, update to version 98 or later to resolve the issue. For Mozilla Firefox ESR versions prior to 91.7, update to version 91.7 or later to resolve the issue. For Mozilla Thunderbird versions prior to 91.7, update to version 91.7 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Mozilla Thunderbird versions prior to 91.4.0 Mozilla Firefox ESR versions prior to 91.4.0 Mozilla Firefox versions prior to 95 **Description** The issue is related to errors in security settings, specifically in the handling of Content Security Policy (CSP) by Mozilla Firefox and Mozilla Thunderbird. This could allow a remote attacker to bypass existing security restrictions by embedding additional content into documents, thus escaping the sandbox's script restrictions. **Recommendations** For Mozilla Thunderbird versions prior to 91.4.0, update to version 91.4.0 or later. For Mozilla Firefox ESR versions prior to 91.4.0, update to version 91.4.0 or later. For Mozilla Firefox versions prior to 95, update to version 95 or later.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 94 Thunderbird versions prior to 91.3 Firefox ESR versions prior to 91.3 **Description** The issue is related to errors in the configuration of sandbox security rules for iframes to XSLT stylesheets. This allows a remote attacker to bypass existing security restrictions by using an iframe to circumvent limitations, such as executing scripts or navigating the top-level frame. **Recommendations** For Firefox versions prior to 94, update to version 94 or later to resolve the issue. For Thunderbird versions prior to 91.3, update to version 91.3 or later to resolve the issue. For Firefox ESR versions prior to 91.3, update to version 91.3 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: Firefox versions prior to 87 Description: A malicious extension with the `search` permission could bypass the same-origin policy by installing a new search engine whose favicon references a cross-origin URL. The response to this cross-origin request could be read by the extension, potentially disclosing sensitive information about local-network resources or resources that use IP-based authentication. The cross-origin request was made without cookies, limiting the sensitive information disclosed. Recommendations: For Firefox versions prior to 87, update to version 87 or later to resolve the issue. As a temporary workaround, consider disabling the `search` permission for extensions until a patch is available. Restrict access to sensitive local-network resources and resources that perform IP-based authentication to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Thunderbird versions prior to 45.7 Firefox ESR versions prior to 45.7 Firefox versions prior to 51 **Description** The issue allows for domain name spoofing attacks in the location bar due to URLs containing certain unicode glyphs for alternative hyphens and quotes not properly triggering punycode display. **Recommendations** For Thunderbird versions prior to 45.7, update to version 45.7 or later. For Firefox ESR versions prior to 45.7, update to version 45.7 or later. For Firefox versions prior to 51, update to version 51 or later.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 47.0 **Description** The issue allows remote attackers to bypass the Same Origin Policy and modify the `location.host` property via an invalid `data:` URL. This is related to insufficient access control in the browser, which can be exploited by a remote attacker to circumvent existing access restrictions. **Recommendations** For versions prior to 47.0, update to version 47.0 or later to resolve the issue. As a temporary workaround, consider restricting access to invalid `data:` URLs to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 37.0.1 **Description** The issue arises from the Reader mode feature not properly handling privileged URLs, making it easier for remote attackers to execute arbitrary JavaScript code with chrome privileges. This is achieved by bypassing the Same Origin Policy. **Recommendations** For versions prior to 37.0.1, update to version 37.0.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 37.0 **Description** The issue allows an attacker controlling network traffic to bypass user authentication by deploying a specially crafted website and conducting a DNS spoofing attack against a mozilla.org subdomain. This is possible because the browser does not require an HTTPS session for lightweight theme add-on installations. **Recommendations** For versions prior to 37.0, update to version 37.0 or later to resolve the issue. As a temporary workaround, consider restricting the installation of lightweight theme add-ons to only those that use HTTPS connections, and avoid using unsecured networks to minimize the risk of exploitation.