Scarlet

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 123 **Description** The `fetch()` API and navigation incorrectly shared the same cache, as the cache key did not include the optional headers `fetch()` may contain. Under the correct circumstances, an attacker may have been able to poison the local browser cache by priming it with a `fetch()` response controlled by the additional headers. Upon navigation to the same URL, the user would see the cached response instead of the expected response. **Recommendations** For Firefox versions prior to 123, update to a version that includes the fix for this issue to prevent cache poisoning attacks. As a temporary workaround, consider disabling the `fetch()` API or restricting its use until a patch is available. Avoid using the `fetch()` API with optional headers that may be controlled by an attacker.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 109.0.5414.74 **Description** The issue is related to insufficient policy enforcement in CORS, allowing a remote attacker to leak cross-origin data via a crafted HTML page. This could enable an attacker to access confidential data. **Recommendations** For versions prior to 109.0.5414.74, update to version 109.0.5414.74 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive data until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Firefox ESR versions prior to 102.5 Thunderbird versions prior to 102.5 Firefox versions prior to 107 **Description** Cross-Site Tracing occurs when a server echoes a request back via the Trace method, allowing an XSS attack to access authorization headers and cookies inaccessible to JavaScript, such as cookies protected by HTTPOnly. Browsers have placed limits on `fetch()` and XMLHttpRequest to mitigate this attack. However, some webservers have implemented non-standard headers like `X-Http-Method-Override` that override the HTTP method, making this attack possible again. **Recommendations** For Firefox ESR versions prior to 102.5, update to version 102.5 or later. For Thunderbird versions prior to 102.5, update to version 102.5 or later. For Firefox versions prior to 107, update to version 107 or later.