Vladimir Metnew

**Name of the Vulnerable Software and Affected Versions** Thunderbird versions prior to 68.5 Firefox versions prior to 73 Firefox ESR versions prior to 68.5 **Description** A semi-privileged extension can launch an arbitrary application on the user's computer by downloading a file with the .fileloc extension. However, the attacker's ability to exploit this issue is limited as they cannot download non-quarantined files or supply command line arguments to the application. This issue only affects Mac OSX, with other operating systems being unaffected. **Recommendations** For Thunderbird versions prior to 68.5, update to version 68.5 or later. For Firefox versions prior to 73, update to version 73 or later. For Firefox ESR versions prior to 68.5, update to version 68.5 or later. As a temporary workaround, consider restricting the handling of .fileloc files to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 80.0.3987.87 **Description** The issue is related to insufficient policy enforcement in downloads and insufficient input validation. This could allow a remote attacker to gain unauthorized access to information, compromise its integrity and availability, and execute arbitrary code via a crafted Chrome Extension if a user is convinced to install a malicious extension. **Recommendations** For Google Chrome versions prior to 80.0.3987.87, update to version 80.0.3987.87 or later to resolve the issue. As a temporary workaround, consider restricting the installation of extensions to minimize the risk of exploitation. Avoid using the `extension` functionality in Google Chrome until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 70.0.3538.67 **Description** The issue is related to incorrect handling of history on iOS in Navigation, allowing a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. This is due to insufficient input validation, which can be exploited by a remote attacker to manipulate the Omnibox component. **Recommendations** For versions prior to 70.0.3538.67, update to version 70.0.3538.67 or later to resolve the issue. As a temporary workaround, consider avoiding the use of crafted HTML pages that may exploit this issue until a patch is applied.