Julien Vehent

**Name of the Vulnerable Software and Affected Versions** Firefox ESR versions prior to 45.5 Firefox versions prior to 50 **Description** The issue arises from the failure of add-on updates to verify the add-on ID inside the signed package against the ID of the add-on being updated. This could allow an attacker, who can intercept the user's connection to the update server and bypass certificate pinning protection, to provide a malicious signed add-on instead of a valid update. **Recommendations** For Firefox ESR versions prior to 45.5, update to version 45.5 or later. For Firefox versions prior to 50, update to version 50 or later.