Freddy

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 82.0.3 Firefox ESR versions prior to 78.4.1 Thunderbird versions prior to 78.4.2 **Description** The issue is related to the MCallGetProperty opcode being emitted with unmet assumptions, resulting in an exploitable use-after-free condition. This can lead to accessing already freed memory, which is suitable for creating a working exploit. The problem is associated with the incorrect usage of the MCallGetProperty operation code. **Recommendations** For Firefox versions prior to 82.0.3, update to version 82.0.3 or later. For Firefox ESR versions prior to 78.4.1, update to version 78.4.1 or later. For Thunderbird versions prior to 78.4.2, update to version 78.4.2 or later.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 67.0.4 Mozilla Firefox ESR versions prior to 60.7.2 Thunderbird versions prior to 60.7.2 **Description** The issue is caused by insufficient vetting of parameters passed with the `Prompt:Open` IPC message between child and parent processes. This can result in the non-sandboxed parent process opening web content chosen by a compromised child process, potentially allowing attackers to execute arbitrary code on the user's computer when combined with additional vulnerabilities. **Recommendations** For Mozilla Firefox versions prior to 67.0.4, update to version 67.0.4 or later. For Mozilla Firefox ESR versions prior to 60.7.2, update to version 60.7.2 or later. For Thunderbird versions prior to 60.7.2, update to version 60.7.2 or later. As a temporary workaround, consider restricting access to the `Prompt:Open` IPC message to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox OS versions prior to 2.5 **Description** The lockscreen feature does not properly restrict failed authentication attempts, making it easier for physically proximate attackers to obtain access by entering many passcode guesses. **Recommendations** For versions prior to 2.5, update to version 2.5 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 19.0 Firefox ESR versions 17.x prior to 17.0.3 Thunderbird versions prior to 17.0.3 Thunderbird ESR versions 17.x prior to 17.0.3 SeaMonkey versions prior to 2.16 **Description** The issue allows JavaScript workers to read the browser-profile directory name, which has unspecified impact and can be exploited through remote attack vectors. **Recommendations** For Mozilla Firefox versions prior to 19.0, update to version 19.0 or later. For Firefox ESR versions 17.x prior to 17.0.3, update to version 17.0.3 or later. For Thunderbird versions prior to 17.0.3, update to version 17.0.3 or later. For Thunderbird ESR versions 17.x prior to 17.0.3, update to version 17.0.3 or later. For SeaMonkey versions prior to 2.16, update to version 2.16 or later.