Matheus Vrech

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 100 Firefox ESR versions prior to 91.9 Thunderbird versions prior to 91.9 **Description** The issue is related to the handling of the SameSite attribute in cookies by the reader mode in Firefox, Firefox ESR, and the Thunderbird email client. This allows a remote attacker to intercept cookies with the SameSite attribute set. The vulnerability is caused by the failure to properly omit cookies with the SameSite attribute when requests are initiated through reader mode. **Recommendations** For Firefox versions prior to 100, update to version 100 or later. For Firefox ESR versions prior to 91.9, update to version 91.9 or later. For Thunderbird versions prior to 91.9, update to version 91.9 or later.

**Name of the Vulnerable Software and Affected Versions** Thunderbird versions prior to 91.9 Firefox ESR versions prior to 91.9 Firefox versions prior to 100 **Description** The issue is related to an improper implementation of the new iframe sandbox keyword `allow-top-navigation-by-user-activation`, which could lead to script execution without `allow-scripts` being present. This allows a remote attacker to bypass existing security restrictions for loaded frames by exploiting the vulnerability in the isolated environment of iframe web browsers. **Recommendations** For Thunderbird versions prior to 91.9, update to version 91.9 or later. For Firefox ESR versions prior to 91.9, update to version 91.9 or later. For Firefox versions prior to 100, update to version 100 or later.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 74 **Description** The issue allows an attacker to inject arbitrary styles into a CSS block by exploiting the @import statement, bypassing the intent of the Content Security Policy when protecting CSS blocks with the nonce feature. **Recommendations** For versions prior to 74, update to version 74 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Firefox versions 69 **Description** The issue is related to a Content-Security-Policy bypass that allows the execution of JavaScript in a protected document through an object tag, leading to cross-site scripting. This flaw can be exploited by a remote attacker to gain unauthorized access to confidential data and impact data integrity. **Recommendations** For Firefox version 69, update to version 70 or later to resolve the issue. As a temporary workaround, consider disabling the use of object tags in Firefox until a patch is available. Restrict access to sensitive data and ensure proper input validation to minimize the risk of exploitation.