Kris Maglione

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 70 Thunderbird versions prior to 68.2 Firefox ESR versions prior to 68.2 **Description** The issue is related to a same-origin policy bypass, allowing two same-origin documents that set `document.domain` differently to become cross-origin. This enables them to call arbitrary DOM methods, getters, and setters on the now-cross-origin window. The estimated number of potentially affected devices worldwide is not specified. There is no information about real-world incidents where this issue was exploited. **Recommendations** For Firefox versions prior to 70, update to version 70 or later. For Thunderbird versions prior to 68.2, update to version 68.2 or later. For Firefox ESR versions prior to 68.2, update to version 68.2 or later.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 51 **Description** The issue allows a malicious extension to install additional extensions without explicit user permission by modifying the CSP headers on sites with the appropriate permissions and using host requests to redirect script loads to a malicious site. This is achieved through the use of the "mozAddonManager" API. **Recommendations** For versions prior to 51, update to a version that includes the fix for this issue to prevent malicious extensions from installing additional extensions without user permission.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 50.1 **Description** A world-accessible resource in Mozilla's add-ons SDK contains an HTML injection issue. If another vulnerability allows this resource to be loaded as a document, it could enable injecting content and script into an add-on's context. **Recommendations** For versions prior to 50.1, update to version 50.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 50 **Description** The issue allows WebExtensions to elevate privilege using the mozAddonManager API, as privileged pages are permitted in the permissions list. This enables a malicious extension to install additional extensions without explicit user permission. **Recommendations** For versions prior to 50, update to version 50 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 43.0 **Description** The issue is related to insufficient access restrictions to certain functions in the browser. It may allow a remote attacker to elevate privileges, conduct cross-site scripting (XSS) attacks, or possibly obtain sensitive information through a specially crafted website. **Recommendations** For versions prior to 43.0, update to version 43.0 or later to resolve the issue.