firefox

If array shift operations are not used, the Garbage Collector may have become confused about valid objects.

An attacker could have injected CSS into stylesheets accessible via internal URIs, such as resource:, and in doing so bypass a page's Content Security Policy.

Firefox's HTML parser did not correctly interpret HTML comment tags, resulting in an incongruity with other browsers. This could have been used to escape...

An attacker could have exploited a timing attack by sending a large number of allowCredential entries and detecting the difference between invalid key...

A crafted CMS message could have been processed incorrectly, leading to an invalid memory read, and potentially further memory corruption.

When exiting fullscreen mode, an iframe could have confused the browser about the current state of fullscreen, resulting in potential user confusion or...

A malicious webpage could have caused an out-of-bounds write in WebGL, leading to memory corruption and a potentially exploitable crash.

A malicious website could have learned the size of a cross-origin resource that supported Range requests.

Mozilla developers Gabriele Svelto, Randell Jesup and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 99. Some of these bugs showed...

Mozilla developers Andrew McCreight, Gabriele Svelto, Tom Ritter and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 99 and Firefox...

Firefox behaved slightly differently for already known resources when loading CSS resources involving CSS variables. This could have been used to probe the...

The Performance API did not properly hide the fact whether a request cross-origin resource has observed redirects.

When reusing existing popups Firefox would have allowed them to cover the fullscreen notification UI, which could have enabled browser spoofing attacks.

Requests initiated through reader mode did not properly omit cookies with a SameSite attribute.

An improper implementation of the new iframe sandbox keyword allow- top-navigation-by-user-activation could lead to script execution without allow-scripts...

Documents in deeply-nested cross-origin browsing contexts could have obtained permissions granted to the top-level origin, bypassing the existing prompt and...

Mozilla developers and community members Nika Layzell, Andrew McCreight, Gabriele Svelto, and the Mozilla Fuzzing Team reported memory safety bugs present...

Mozilla developers and community members Randell Jesup, Sebastian Hengst, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 98....

In unusual circumstances, selecting text could cause text selection caching to behave incorrectly, leading to a crash.

Due to a layout change, iframe contents could have been rendered outside of its border. This could have led to user confusion or spoofing attacks.

When generating the assembly code for MLoadTypedArrayElementHole, an incorrect AliasSet was used. In conjunction with another vulnerability this could have...

SVG's <use> element could have been used to load unexpected content that could have executed script in certain circumstances. While the specification seems...

The sourceMapURL feature in devtools was missing security checks that would have allowed a webpage to attempt to include local files or other files that...

By using a link with rel="localization" a use-after-free could have been triggered by destroying an object during JavaScript execution and then referencing...

If a compromised content process sent an unexpected number of WebAuthN Extensions in a Register command to the parent process, an out of bounds write would...

When installing an add-on, Thunderbird verified the signature before prompting the user; but while the user was confirming the prompt, the underlying add-on...

In unusual circumstances, an individual thread may outlive the thread's manager during shutdown. This could have led to a use-after- free causing a...

If an attacker could control the contents of an iframe sandboxed with allow-popups but not allow-scripts, they were able to craft a link that, when clicked,...

When resizing a popup after requesting fullscreen access, the popup would not display the fullscreen notification.

While the text displayed in Autofill tooltips cannot be directly read by JavaScript, the text was rendered using page fonts. Side-channel attacks on the...

An attacker could have caused a use-after-free by forcing a text reflow in an SVG object leading to a potentially exploitable crash.

The rust regex crate did not properly prevent crafted regular expressions from taking an arbitrary amount of time during parsing. If an attacker was able to...

An attacker could have caused an uninitialized variable on the stack to be mistakenly freed, causing a potentially exploitable crash.

If an attacker was able to corrupt the methods of an Array object in JavaScript via prototype pollution, they could have achieved execution of...

An attacker could have sent a message to the parent process where the contents were used to double-index into a JavaScript object, leading to prototype...

NSSToken objects were referenced via direct points, and could have been accessed in an unsafe way on different threads, leading to a use- after-free and...

Mozilla developers Kershaw Chang, Ryan VanderMeulen, and Randell Jesup reported memory safety bugs present in Firefox 97. Some of these bugs showed evidence...

A security issue has been found in Firefox before version 95 and Thunderbird before version 91.4.0. It was possible to recreate previous cursor spoofing...

A security issue has been found in Firefox before version 95 and Thunderbird before version 91.4.0. Using the Location API in a loop could have caused...

A security issue has been found in Firefox for Android before version 95. When receiving a URL through a SEND intent, Firefox would have searched for the...

A security issue has been found in Firefox before version 95 and Thunderbird before version 91.4.0. Documents loaded with the CSP sandbox directive could...

A security issue has been found in Firefox before version 95 and Thunderbird before version 91.4.0. Using XMLHttpRequest, an attacker could have identified...

A security issue has been found in Firefox before version 95 and Thunderbird before version 91.4.0. When invoking protocol handlers for external protocols,...

A security issue has been found in Firefox before version 95. WebExtensions with the correct permissions were able to create and install ServiceWorkers for...

A security issue has been found in Firefox before version 95 and Thunderbird before version 91.4.0. Failure to correctly record the location of live...

A security issue has been found in Firefox before version 95 and Thunderbird before version 91.4.0. By misusing a race in the notification code, an attacker...

A security issue has been found in Firefox before version 95 and Thunderbird before version 91.4.0. An incorrect type conversion of sizes from 64bit to...

A security issue has been found in Firefox before version 95 and Thunderbird before version 91.4.0. Under certain circumstances, asynchronous functions...

A security issue has been found in Firefox before version 94 and Thunderbird before version 91.3. The executable file warning was not presented when...

A security issue has been found in Firefox before version 94 and Thunderbird before version 91.3. Due to an unusual sequence of attacker-controlled events,...

A security issue has been found in Firefox before version 94 and Thunderbird before version 91.3. By displaying a form validity message in the correct...

A security issue has been found in Firefox before version 94 and Thunderbird before version 91.3. The Opportunistic Encryption feature of HTTP2 (RFC 8164)...

A security issue has been found in Firefox before version 94 and Thunderbird before version 91.3. Through a series of navigations, Firefox and Thunderbird...

A security issue has been found in Firefox before version 94 and Thunderbird before version 91.3. Microsoft introduced a new feature in Windows 10 known as...

A security issue has been found in Firefox before version 94 and Thunderbird before version 91.3. When interacting with an HTML input element's file picker...

A security issue has been found in Firefox before version 94 and Thunderbird before version 91.3. The iframe sandbox rules were not correctly applied to...

Mozilla developers and community members reported memory safety bugs present in Firefox 92 and Thunderbird 91.1. Some of these bugs showed evidence of...

Mozilla developers and community members reported memory safety bugs present in Firefox 92 and Thunderbird 91.1. Some of these bugs showed evidence of...

Mozilla developers and community members reported memory safety bugs present in Firefox 92. Some of these bugs showed evidence of memory corruption and...

During process shutdown, a document could have caused a use-after-free of a languages service object, leading to memory corruption and a potentially...

Through use of reportValidity() and window.open(), a plain-text validation message could have been overlaid on another origin, leading to possible user...

During operations on MessageTasks, a task may have been removed while it was still scheduled, resulting in memory corruption and a potentially exploitable crash.

Mozilla developers reported memory safety bugs present in Firefox 91. Some of these bugs showed evidence of memory corruption and Mozilla presumes that with...

When delegating navigations to the operating system, Firefox before version 91.1 and Thunderbird before version 78.14 would accept the `mk` scheme which...

In Firefox before version 92, mixed-content checks were unable to analyze opaque origins which led to some mixed content being loaded.

In the crossbeam crate, one or more tasks in the worker queue could have been be popped twice instead of other tasks that are forgotten and never popped. If...

An out of bounds write in ANGLE could have allowed an attacker to corrupt memory leading to a potentially exploitable crash in the Chromium browser engine...

Firefox for Android allowed navigations through the `intent://` protocol, which could be used to cause crashes and UI spoofs.  This bug only affects Firefox...

Firefox and Thunderbird before version 91.0.1 incorrectly accepted a newline in a HTTP/3 header, interpretting it as two separate headers. This allowed for...

Mozilla developers and community members reported memory safety bugs present in Firefox 90. Some of these bugs showed evidence of memory corruption and...

Mozilla developers reported memory safety bugs present in Firefox 90 and Thunderbird 78.12. Some of these bugs showed evidence of memory corruption and...

Firefox before version 91 and Thunderbird before version 78.13 incorrectly treated an inline list-item element as a block element, resulting in an out of...

A security issue has been found in Firefox and Thunderbird before version 91. After requesting multiple permissions, and closing the first permission panel,...

A security issue has been found in Firefox before version 91 and Thunderbird before version 78.13. A suspected race condition when calling getaddrinfo() led...

A security issue has been found in Firefox before version 91 and Thunderbird before version 78.13. A use-after-free vulnerability in media channels could...

A security issue has been found in Firefox before version 91 and Thunderbird before version 78.13. Instruction reordering resulted in a sequence of...

Firefox for Android before version 91 could get stuck in fullscreen mode and not exit it even after normal interactions that should cause it to exit.  Note:...

A security issue has been found in Firefox and Thunderbird before version 91. Due to incorrect JIT optimization, it incorrectly interpreted data from the...

A security issue has been found in Firefox and Thunderbird before version 91. An issue present in lowering/register allocation could have led to obscure but...

A security issue has been found in Firefox before version 91 and Thunderbird before version 78.13. Uninitialized memory in a canvas object could have caused...

Mozilla developers reported memory safety bugs present in Firefox 89. Some of these bugs showed evidence of memory corruption and Mozilla presumes that with...

Mozilla developers reported memory safety bugs present in Firefox 89 and Thunderbird 78.11. Some of these bugs showed evidence of memory corruption and...

Through a series of DOM manipulations, a message, over which the attacker had control of the text but not HTML or formatting, could be overlaid on top of...

When network partitioning was enabled, e.g. as a result of Enhanced Tracking Protection settings, a TLS error page would allow the user to override an error...

Password autofill was enabled without user interaction on insecure websites on Firefox for Android. This was corrected to require user interaction with the...

A user-after-free vulnerability was found via testing, and traced to an out-of-date Cairo library. Updating the library resolved the issue, and may have...

If a user had granted a permission to a webpage and saved that grant, any webpage running on the same host - irrespective of scheme or port - would be...

A malicious webpage could have triggered a use-after-free, memory corruption, and a potentially exploitable crash. This bug only affected Firefox before...

When drawing text onto a canvas with WebRender disabled, an out of bounds read could occur.  This bug only affects Firefox on Windows. Other operating...

Mozilla developers reported memory safety bugs present in Firefox 88 and Thunderbird 78.10. Some of these bugs showed evidence of memory corruption and...

Mozilla developers reported memory safety bugs present in Firefox 88. Some of these bugs showed evidence of memory corruption and Mozilla presumes that with...

A malicious website that causes an HTTP Authentication dialog to be spawned could trick the built-in password manager to suggest passwords for the currently...

A locally-installed hostile program could send `WM_COPYDATA` messages that Firefox would process incorrectly, leading to an out-of-bounds read.  This bug...

Address bar search suggestions in private browsing mode were re-using session data from normal mode.  This bug only affects Firefox for Android. Other...

Firefox for Android would become unstable and hard-to-recover when a website opened too many popups.  This bug only affects Firefox for Android. Other...

When styling and rendering an oversized `<select>` element, Firefox did not apply correct clipping which allowed an attacker to paint over the user interface.

Firefox used to cache the last filename used for printing a file. When generating a filename for printing, Firefox usually suggests the web page title. The...

When a user has already allowed a website to access microphone and camera, disabling camera sharing would not fully prevent the website from re-enabling it...

A malicious webpage could have forced a Firefox for Android user into executing attacker-controlled JavaScript in the context of another domain, resulting...

A security issue has been found in Firefox before version 88.0.1. When Web Render components were destructed, a race condition could have caused undefined...

A security issue has been found in Firefox before version 88. Mozilla developers and community members reported memory safety bugs present in Firefox 87....

A security issue has been found in Firefox before version 88 and Thunderbird before version 78.10. Ports that were written as an integer overflow above the...

A security issue has been found in Firefox before version 88 and Thunderbird before version 78.10. The WebAssembly JIT could miscalculate the size of a...

A security issue has been found in Firefox before version 88. Lack of escaping allowed HTML injection when a webpage was viewed in Reader View. While a...

A security issue has been found in Firefox before version 88 and Thunderbird before version 78.10. When a user clicked on an FTP URL containing encoded...

A security issue has been found in Firefox before version 88. A compromised content process could have performed session history manipulations it should not...

A security issue has been found in Firefox before version 88. A race condition with requestPointerLock() and setTimeout() could have resulted in a user...

A security issue has been found in Firefox before version 88 and Thunderbird before version 78.10. If a Blob URL was loaded through some unusual user...

A security issue has been found in Firefox before version 88 and Thunderbird before version 78.10. Through complicated navigations with new windows, an HTTP...

A security issue has been found in Firefox before version 88. Due to unexpected data type conversions, a use-after-free could have occurred when interacting...

A security issue has been found in Firefox before version 88. By utilizing 3D CSS in conjunction with Javascript, content could have been rendered outside...

A security issue has been found in Firefox before version 88 and Thunderbird before version 78.10. When Responsive Design Mode was enabled, it used...

A security issue has been found in Firefox before version 88 and Thunderbird before version 78.10. A WebGL framebuffer was not initialized early enough,...

A security issue was found in Firefox before version 87. Mozilla developers reported memory safety bugs present in Firefox 86. Some of these bugs showed...

A security issue was found in Firefox before version 87 and Thunderbird before version 78.9. Mozilla developers and community members reported memory safety...

A security issue was found in Firefox before version 87. A malicious extension with the 'search' permission could have installed a new search engine whose...

A security issue was found in Firefox before version 87. If an attacker is able to alter specific about:config values (for example malware running on the...

A security issue was found in Firefox before version 87 and Thunderbird before version 78.9. A malicious extension could have opened a popup window lacking...

A security issue was found in Firefox before version 87. By causing a transition on a parent node by removing a CSS rule, an invalid property for a marker...

A security issue was found in Firefox before version 87 and Thunderbird before version 78.9. Using techniques that built on the slipstream research, a...

A security issue was found in Firefox before version 87 and Thunderbird before version 78.9. A texture upload of a Pixel Buffer Object could have confused...

A security issue was found in Firefox before version 86.0. Mozilla developers reported memory safety bugs present in Firefox 85. Some of these bugs showed...

A security issue was found in Firefox before version 86.0 and Thunderbird before version 78.8. Mozilla developers reported memory safety bugs present in...

Firefox for Android before version 86.0 suffered from a time-of-check- time-of-use vulnerability that allowed a malicious application to read sensitive data...

A security issue was found in Firefox for Android before version 86.0. When accepting a malicious intent from other installed apps, Firefox for Android...

A security issue was found in Firefox before version 86.0. The developer page about:memory has a Measure function for exploring what object types the...

A security issue was found in Firefox before version 86.0. The DOMParser API did not properly process <noscript> elements for escaping. This could be used...

A security issue was found in Firefox before version 86.0 and Thunderbird before version 78.8. When trying to load a cross-origin resource in an audio/video...

A security issue was found in Firefox before version 86.0. One phishing tactic on the web is to provide a link with HTTP Auth. For example...

A security issue was found in Firefox before version 86.0. When processing a redirect with a conflicting Referrer-Policy, Firefox would have adopted the...

A security issue was found in Firefox before version 86.0. Context- specific code was included in a shared jump table; resulting in assertions being...

A security issue was found in Firefox before version 86.0 and Thunderbird before version 78.8. As specified in the W3C Content Security Policy draft, when...

A security issue was found in Firefox before version 86.0 and Thunderbird before version 78.8. If Content Security Policy blocked frame navigation, the full...

A security issue was found in Firefox before version 85.0. Mozilla developers reported memory safety bugs present in Firefox 84. Some of these bugs showed...

A security issue was found in Firefox before version 85.0 and Thunderbird before version 78.7. Mozilla developers reported memory safety bugs present in...

A security issue was found in Firefox before version 85.0. When sharing geolocation during an active WebRTC share, Firefox could have reset the webRTC...

A security issue was found in Firefox before version 85.0. Incorrect use of the RowCountChanged method could have led to a use-after-poison and a...

A security issue was found in Firefox before version 85.0. Further techniques that built on the slipstream research combined with a malicious webpage could...

A security issue was found in Firefox before version 85.0 and Thunderbird before version 78.7. Performing garbage collection on re- declared JavaScript...

A security issue was found in Firefox before version 85.0. A cross- site scripting (XSS) bug in the internal error pages could have led to various spoofing...

A security issue was found in Firefox before version 85.0. The browser could have been confused into transferring a screen sharing state into another tab,...

A security issue was found in Firefox before version 85.0. Navigations through the Android-specific intent URL scheme could have been misused to escape the...

A security issue was found in Firefox before version 85.0. An ambiguous file picker design could have confused users who intended to select and upload a...

A security issue was found in Firefox before version 85.0. The browser could have been confused into transferring a pointer lock state into another tab,...

A security issue was found in Firefox before version 85.0 and Thunderbird before version 78.7. Using the new logical assignment operators in a JavaScript...

A security issue was found in Firefox before version 85.0 and Thunderbird before version 78.7. If a user clicked into a specifically crafted PDF, the PDF...

Mozilla developers Christian Holler, Jan-Ivar Bruaroey, and Gabriele Svelto reported memory safety bugs present in Firefox 83. Some of these bugs showed...

Mozilla developer Christian Holler reported memory safety bugs present in Firefox 83, Firefox ESR 78.5 and Thunderbird 78.5. Some of these bugs showed...

If a user downloaded a file lacking an extension on Firefox for Windows before 84.0 or Thunderbird for Windows before 78.6, and then "Open"-ed it from the...

A security issue was discovered in Firefox before 84.0 and Thunderbird before 78.6. When an extension with the proxy permission registered to receive...

A security issue was discovered in Firefox before 84.0. When a user typed a URL in the address bar or the search bar and quickly hit the enter key, a...

A security issue was discovered in Firefox before 84.0 and Thunderbird before 78.6. Using techniques that built on the slipstream research, a malicious...

A security issue was discovered in Firefox for Android before 84.0. By attempting to connect a website using an unresponsive port, an attacker could have...

A security issue was found in Firefox before 84.0. When an HTTPS page was embedded in an HTTP page, and there was a service worker registered for the...

When a malicious application installed on the user's device broadcast an Intent to Firefox for Android before 84.0, arbitrary headers could have been...

A security issue was found in Firefox before 84.0 and Thunderbird before 78.6. When flex-basis was used on a table wrapper, a StyleGenericFlexBasis object...

A security issue was found in Firefox before 84.0 and Thunderbird before 78.6 where certain input to the CSS Sanitizer confused it, resulting in incorrect...

A security issue was found in Firefox before 84.0. The lifecycle of IPC Actors allows managed actors to outlive their manager actors; and the former must...

A security issue was found in Firefox before 84.0 and Thunderbird before 78.6 where certain blit values provided by the user were not properly constrained,...

Several memory safety issues have been found in Firefox before 83.0. Some of these bugs showed evidence of memory corruption and Mozilla presumes that with...

Several memory safety issues have been found in Firefox before 83.0 and Firefox ESR before 78.4. Some of these bugs showed evidence of memory corruption and...

A security issue has been found in Firefox before 83.0 where, when listening for page changes with a Mutation Observer, a malicious web page could confuse...

An information disclosure issue has been found in Firefox before 83.0. Some websites have a feature "Show Password" where clicking a button will change a...

A denial of service issue has been found in Firefox before 83.0, where repeated calls to the history and location interfaces could have been used to hang...

A security issue has been found in Firefox before 83.0, where cross- origin iframes that contained a login form could have been recognized by the login...

A security issue has been found in Firefox before 83.0 where, when DNS over HTTPS is in use, it intentionally filters RFC1918 and related IP ranges from the...

A security issue has been found in Firefox before 83.0 where, if the Compact() method was called on an nsTArray, the array could have been reallocated...

A security issue has been found in Firefox before 83.0 where, during browser shutdown, reference decrementing could have occurred on a previously freed...

Firefox before 83.0 did not block execution of scripts with incorrect MIME types when the response was intercepted and cached through a ServiceWorker. This...

A security issue has been found in Firefox before 83.0 where, in some cases, removing HTML elements during sanitization would keep existing SVG event...

A security issue has been found in Firefox before 83.0 where it was possible to cause the browser to enter fullscreen mode without displaying the security...

A security issue has been found in Firefox before 83.0 where incorrect bookkeeping of functions inlined during JIT compilation could have led to memory...

A parsing and event loading mismatch has been found in Firefox's SVG code before 83.0 and could have allowed load events to fire, even after sanitization....

A use-after-free has been found in Firefox before 82.0.3 where, in certain circumstances, the MCallGetProperty opcode can be emitted with unmet assumptions.

A security issue was found in Firefox before 84.0.2, Thunderbird before 78.6.1 and Chromium before 88.0.4324.96. A malicious peer could have modified a...

An uninitialized use security issue has been found in the V8 component of the chromium browser before version 87.0.4280.88 and Firefox before 84.0.

An information disclosure issue has been found in Firefox before 83.0 and chromium before 87.0.4280.66. When drawing a transparent image on top of an...

A heap buffer overflow has been found in freetype2 before 2.10.4. Malformed TTF files with PNG sbit glyphs can cause a heap buffer overflow in Load_SBit_Png...

A use after free security issue has been found in the WebRTC component of the chromium browser before 86.0.4240.75 and of Firefox before 82.0.

Several memory safety bugs have been found in Firefox before 82.0. Some of these bugs showed evidence of memory corruption and Mozilla presumes that with...

Several memory safety bugs have been found in Firefox before 82.0 and Firefox ESR before 78.4. Some of these bugs showed evidence of memory corruption and...

A spoofing issue has been found in Firefox before 82.0 where, when a link to an external protocol was clicked, a prompt was presented that allowed the user...

A memory corruption issue has been found in Firefox before 82.0 where, when multiple WASM threads had a reference to a module, and were looking up exported...

An information disclosure issue has been found in Firefox before 82.0 where if a valid external protocol handler was referenced in an image tag, the...

A use-after-free issue has been found in Firefox before 81.0 where, when recursing through graphical layers while scrolling, an iterator may have become...

An issue has been found in Firefox before 81.0 where, by exploiting an Open Redirect vulnerability on a website, an attacker could have spoofed the site...

Firefox before 81.0 sometimes ran the onload handler for SVG elements that the DOM sanitizer decided to remove, resulting in JavaScript being executed after...

A use-after-free issue has been found in the WebGL implementation of Firefox before 81.0 where, when processing surfaces, the lifetime may outlive a...

Several memory safety issues have been found in Firefox before 81.0. Some of these bugs showed evidence of memory corruption and Mozilla presumes that with...

Several memory safety issues have been found in Firefox before 81.0 and Firefox ESR 78.3. Some of these bugs showed evidence of memory corruption and...

Mozilla developers and community members reported memory safety bugs present in Firefox 78 and Firefox ESR 78.0. Some of these bugs showed evidence of...

The code for downloading files did not properly take care of special characters, which led to an attacker being able to cut off the file ending at an...

JIT optimizations involving the Javascript arguments object could confuse later optimizations. This risk was already mitigated by various precautions in the...

A redirected HTTP request which is observed or modified through a web extension could bypass existing CORS checks, leading to potential disclosure of...

When in an endless loop, a website specifying a custom cursor using CSS could make it look like the user is interacting with the user interface, when they...

An iframe sandbox element with the allow-popups flag could be bypassed when using noopener links. This could have led to security issues for websites...

By observing the stack trace for JavaScript errors in web workers, it was possible to leak the result of a cross-origin redirect. This applied only to...

An undefined behaviour leading to memory corruption issues has been found in the crossbeam rust crate <= 0.4.3. The "bounded" channel incorrectly assumes...

Mozilla developers :Gijs (he/him), Randell Jesup reported memory safety bugs present in Firefox 76. Some of these bugs showed evidence of memory corruption...

Mozilla developers Tom Tung and Karl Tomlinson reported memory safety bugs present in Firefox 76, Firefox ESR 68.8 and Thunderbird before 68.9.0. Some of...

When using certain blank characters in a URL, they where incorrectly rendered as spaces instead of an encoded URL.

When browsing a document hosted on an IP address, an attacker could insert certain characters to flip domain and path information in the address bar.

Mozilla Developer Nicolas Silva found that when using WebRender, Firefox would under certain conditions leak arbitrary GPU memory to the visible screen. The...

Mozilla Developer Iain Ireland discovered a missing type check in Firefox before 77.0 and Thunderbird before 68.9.0 during unboxed objects removal,...

When browsing a malicious page in Firefox before 77.0 and Thunderbird before 68.9.0, a race condition in our SharedWorkerService could occur and lead to a...

NSS before 3.52.1, as used in Firefox before 77.0 and Thunderbird before 68.9.0, has shown timing differences when performing DSA signatures, which was...

Several memory safety bugs have been found in Firefox before 76.0. Some of these bugs showed evidence of memory corruption and Mozilla presumes that with...

Several memory safety bugs has been found in Firefox before 76.0, Firefox ESR before 68.8 and Thunderbird before 68.8.0. Some of these bugs showed evidence...

A logic flaw has been found in the location bar implementation of Firefox before 76.0, and could have allowed a local attacker to spoof the current location...

The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP POST data of a request in Firefox before 76.0 and Thunderbird before...

Documents formed using data: URLs in an object element failed to inherit the CSP of the creating context in Firefox before 76.0. This allowed the execution...

An incorrect origin serialization of URLs with IPv6 addresses issue has been found in Firefox before 76.0, and could lead to incorrect security checks.

A race condition has been found in Firefox before 76.0 and Thunderbird before 68.8.0, when running shutdown code for Web Worker, leading to a use-after-free...

A buffer overflow could occur when parsing and validating SCTP chunks in WebRTC, in Firefox before 76.0, Thunderbird before 68.8.0 and chromium before...

Several memory safety issues have been found in Firefox before 75.0. Some of these bugs showed evidence of memory corruption and Mozilla presumes that with...

Several memory safety issues have been found in Firefox before 75.0. Some of these bugs showed evidence of memory corruption and Mozilla presumes that with...

A security issue has been found in Firefox before 75.0, where generated passwords may be identical on the same site between separate private browsing...

A security issue has been found in Firefox before 75.0, where a malicious extension could have called browser.identity.launchWebAuthFlow, controlling the...

An information disclosure issue has been found in Firefox before 75.0 and Thunderbird before 68.7.0. When reading from areas partially or fully outside the...

A use-after-free vulnerability has been found in Firefox before 74.0.1 and Thunderbird before 68.7.0 where, under certain conditions, when handling a...

A use-after-free vulnerability has been found in Firefox before 74.0.1 and Thunderbird before 68.7.0 where under certain conditions, when running the...

Several memory safety and script safety bugs have been found in Firefox before 74 and Thunderbird before 68.7.0. Some of these bugs showed evidence of...

Several memory safety and script safety bugs have been found in Firefox before 74, Firefox ESR before 68.6 and Thunderbird before 68.6. Some of these bugs...

A Content Security Policy bypass has been found in Firefox before 74. When protecting CSS blocks with the nonce feature of Content Security Policy, the...

An information disclosure issue has been found in Firefox before 74 and Thunderbird before 68.6. The first time AirPods are connected to an iPhone, they...

A security issue has been found in Firefox before 74 and Thunderbird before 68.6, where the 'Copy as cURL' feature of Devtools' network tab did not properly...

A security issue has been found in Firefox before 74 where, after a website had entered fullscreen mode, it could have used a previously opened popup to...

A security issue has been found in Firefox before 74 where, when a Web Extension had the all-urls permission and made a fetch request with a mode set to...

A security issue has been found in Firefox before 74 where, when a JavaScript URL (javascript:) is evaluated and the result is a string, this string is...

A use-after-free issue has been found in Firefox before 74 and Thunderbird before 68.6, in cubeb  during stream destruction. When a device was changed while...

A state confusion issue has been found in Firefox before 74 and Thunderbird before 68.6, in BodyStream::OnInputStreamReady. By carefully crafting promise...

A use-after-free issue has been found in Firefox before 74 and Thunderbird before 68.6. When removing data about an origin whose tab was recently closed, a...

Several memory safety bugs have been found in Firefox before 73.0. Some of these bugs showed evidence of memory corruption and Mozilla presumes that with...

Several memory safety bugs have been found in Firefox before 73.0 and Thunderbird before 68.5. Some of these bugs showed evidence of memory corruption and...

An incorrect parsing of template could result in Javascript injection in Firefox before 73.0 and Thunderbird before 68.5. If a <template> tag was used in a...

A missing bounds check on shared memory read in the parent process has been found in Firefox before 73.0. A content process could have modified shared...

Inappropriate implementation in WebRTC.

Use after free in ANGLE in Google Chrome prior to 81.0.4044.122 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

An out-of-bounds read has been found in Firefox before 74, Thunderbird before 68.6 and chromium before 80.0.3987.149. The inputs to...

A type confusion vulnerability has been found in Firefox before 72.0.1, and Thunderbird before 68.4.1. Incorrect alias information in IonMonkey JIT compiler...

Several memory safety issues have been found in Firefox before 72.0. Some of these bugs showed evidence of memory corruption and Mozilla presumes that with...

Several memory safety issues have been found in Firefox before 72.0, Firefox ESR before 68.4.1, and Thunderbird before 68.3. Some of these bugs showed...

A security issue has been found in the NSS component of Firefox before 72.0. After a HelloRetryRequest has been sent, the client may negotiate a lower...

A security issue has been found in Firefox before 72.0, and Thunderbird before 68.4.1 where CSS sanitization does not escape HTML tags. When pasting a...

A Content Security Policy bypass has been found in Firefox before 72.0, where the CSP is not applied to XSL stylesheets applied to XML documents. If the XSL...

A type confusion issue has been found in Firefox before 72.0, and Thunderbird before 68.4.1, in XPCVariant.cpp where, due to a missing case handling object...

A security issue has been found in Firefox before 72.0, and Thunderbird before 68.4.1. When pasting a <style> tag from the clipboard into a rich text...

An information disclosure issue has been found in Firefox before 71.0 where, if an image had not loaded correctly (such as when it is not actually an...

Several memory safety bugs have been found in Firefox before 71.0. Some of these bugs showed evidence of memory corruption and Mozilla presumes that with...

Several memory safety bugs have been found in Firefox before 71.0 and Thunderbird before 68.3. Some of these bugs showed evidence of memory corruption and...

A use-after-free vulnerability has been found in Firefox before 71.0 and Thunderbird before 68.3. Under certain conditions, when retrieving a document from...

A use-after-free vulnerability has been found in Firefox before 71.0 and Thunderbird before 68.3. Under certain conditions, when checking the Resist...

A privilege escalation vulnerability has been found in Firefox before 71.0. When running, the updater service wrote status and log files to an unrestricted...

A use-after-free vulnerability has been found in Firefox before 71.0 and Thunderbird before 68.3. When using nested workers, a use-after- free could occur...

An out-of-bounds write vulnerability has been found in Firefox before 71.0 and Thunderbird before 68.3 where the plain text serializer used a fixed-size...

An issue has been found in Firefox before 70.0 where, if upgrade- insecure-requests was specified in the Content Security Policy, and a link was dragged and...

A CSP bypass has been found in Firefox 69, where a Content-Security- Policy that blocks in-line scripts could be bypassed using an object tag to execute...

A CSP bypass has been found in Firefox 69, where an object tag with a data URI did not correctly inherit the document's Content Security Policy. This...

A security issue has been found in libexpat before 2.2.8, where crafted XML input could fool the parser into changing from DTD parsing to document parsing...

Incorrect permissions could be granted to a website in Firefox before 70.0. A compromised content process could send a message to the parent process that...

Several memory safety bugs have been found in Firefox before 70.0 and Thunderbird before 68.2. Some of these bugs showed evidence of memory corruption and...

An issue has been found in Firefox before 70.0 and Thunderbird before 68.2, where failure to correctly handle null bytes when processing HTML entities...

A same-origin policy bypass has been found in Firefox before 70.0 and Thunderbird before 68.2 where, if two same-origin documents set document.domain...

An issue has been found in Firefox before 70.0 and Thunderbird before 68.2, where by using a form with a data URI it was possible to gain access to the...

A fixed-size stack buffer overflow has been found in nrappkit, in the WebRTC signaling code of Firefox before 70.0 and Thunderbird before 68.2.

A stack-based buffer overflow has been found in the HKDF output of Firefox before 70.0 and Thunderbird before 68.2. An attacker could have caused 4 bytes of...

A use-after-free issue has been found in the IndexedDB component of Firefox before 70.0 and Thunderbird before 68.2. When storing a value in IndexedDB, the...

A use-after-free vulnerability has been found in Firefox before 71.0 where improper reference counting of soft token session objects could cause a...

In Firefox before 69.0, it is possible to delete an IndexedDB key value and subsequently try to extract it during conversion. This results in a...

A type confusion vulnerability exists in the Spidermonkey component of Firefox before 69.0, which results in a non-exploitable crash.

A vulnerability exists in the WebRTC component of Firefox before 69.0 where malicious web content can use probing techniques on the getUserMedia API using...

WebRTC in Firefox before 69.0 will honor persisted permissions given to sites for access to microphone and camera resources even when in a third-party...

The "Forget about this site" feature in the History pane is intended to remove all saved user data that indicates a user has visited a site. This includes...

A use-after-free vulnerability can occur in Firefox before 69.0 while manipulating video elements if the body is freed while still in use. This results in a...

An out-of-bounds write vulnerability has been found in the NSS component of Firefox before 71.0 and Thunderbird before 68.3. When encrypting with a block...

A security issue has been found in Firefox before 69.0. Some HTML elements, such as <title> and <textarea>, can contain literal angle brackets without...

In Firefox before 69.0, navigation events were not fully adhering to the W3C's "Navigation-Timing Level 2" draft specification in some instances for the...

A same-origin policy violation can occur in Firefox before 69.0, allowing the theft of cross-origin images through a combination of SVG filters and a...

In Firefox before 69.0, a compromised sandboxed content process can perform a Universal Cross-site Scripting (UXSS) attack on content from any site it can...

Several memory safety bugs have been found in Firefox before 69.0. Some of these bugs showed evidence of memory corruption and Mozilla presumes that with...

In Firefox before 69.0, if a Content Security Policy (CSP) directive is defined that uses a hash-based source that takes the empty string as input,...

In Firefox before 69.0, if a wildcard ('*') is specified for the host in Content Security Policy (CSP) directives, any port or path restriction of the...

Several memory safety bugs have been found in Firefox before 69.0. Some of these bugs showed evidence of memory corruption and Mozilla presumes that with...

Several memory safety bugs have been found in Firefox before 69.0. Some of these bugs showed evidence of memory corruption and Mozilla presumes that with...

An issue has been found in Firefox before 68.0.2. When a master password is set, it is required to be entered before stored passwords can be accessed in the...

A vulnerability exists in Firefox before 68.0 where if a user opens a locally saved HTML file, this file can use file: URIs to access other files in the...

Empty or malformed p256-ECDH public keys may trigger a segmentation fault in Firefox before 68.0 due values being improperly sanitized before being copied...

In firefox before 68.0, the HTTP Alternative Services header, Alt-Svc, can be used by a malicious site to scan all TCP ports of any host that the accessible...

A vulnerability exists in Firefox before 68.0 where it is possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5...

In Firefox before 68.0, when a user navigates to a site marked as unsafe by the Safebrowsing API, warning messages are displayed and navigation is...

Application permissions in Firefox before 68.0 give additional remote troubleshooting permission to the site input.mozilla.org, which has been retired and...

A vulnerability exists in Firefox 68.0 during the installation of add- ons where the initial fetch ignored the origin attributes of the browsing context....

The unicode latin 'kra' character can be used to spoof a standard 'k' character in the addressbar in Firefox before 68.0. This allows for domain spoofing...

In Firefox before 68.0, some unicode characters are incorrectly treated as whitespace during the parsing of web content instead of triggering parsing...

In Firefox before 68.0, when importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in...

In Firefox before 68.0, Activity Stream can display content from sent from the Snippet Service website. This content is written to innerHTML on the Activity...

A vulnerability exists in Firebox before 68.0 where the caret ("^") character is improperly escaped constructing some URIs due to it being used as a...

In Firefox before 68.0, until explicitly accessed by script, window.globalThis is not enumerable and, as a result, is not visible to code such as...

In Firefox before 68.0, due to an error while parsing page content, it is possible for properly sanitized user input to be misinterpreted and lead to XSS...

Necko can access a child on the wrong thread during UDP connections, resulting in a potentially exploitable crash in some instances.

A use-after-free vulnerability can occur in the HTTP/2 component of Firefox before 68.0, when a cached HTTP/2 stream is closed while still in use, resulting...

In Firefox before 68.0, POST requests made by NPAPI plugins, such as Flash, that receive a status 308 redirect response can bypass CORS requirements. This...

In Firefox before 68.0, when an inner window is reused, it does not consider the use of document.domain for cross-origin protections. If pages on different...

Several memory safety bugs have been found in Firefox before 68.0. Some of these bugs showed evidence of memory corruption and Mozilla presumes that with...

Several memory safety bugs have been found in Firefox before 68.0. Some of these bugs showed evidence of memory corruption and Mozilla presumes that with...

An issue has been found in Firefox before 67.0.4, where an insufficient vetting of parameters passed with the Prompt:Open IPC message between child and...

A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop, in Firefox before 67.0.3. This can allow for an...

The default webcal: protocol handler in Firefox before 67.0 will load a web site vulnerable to cross-site scripting (XSS) attacks. This default was left in...

A malicious page can briefly cause the wrong name to be highlighted as the domain name in the addressbar during page navigations in Firefox before 67.0....

If a crafted hyperlink is dragged and dropped to the bookmark bar or sidebar in Firefox before 67.0 or Thunderbird before 60.7.0, and the resulting bookmark...

In Firefox before 67.0, if the ALT and "a" keys are pressed when users receive an extension installation prompt, the extension will be installed without the...

In Firefox before 67.0, files with the .JNLP extension used for "Java web start" applications are not treated as executable content for download prompts...

In Firefox before 67.0, a custom cursor defined by scripting on a site can position itself over the addressbar to spoof the actual cursor when it should not...

The bufferdata function in WebGL in Firefox before 67.0 and Thunderbird before 60.7.0 is vulnerable to a buffer overflow with specific graphics drivers on...

A use-after-free vulnerability can occur in Firefox before 67.0 and Thunderbird before 60.7.0, when listeners are removed from the event listener manager...

A use-after-free vulnerability can occur in Firefox before 67.0 and Thunderbird before 60.7.0, when working with XMLHttpRequest (XHR) in an event loop,...

A use-after-free vulnerability can occur in AssertWorkerThread in Firefox before 67.0, due to a race condition with shared workers. This results in a...

A use-after-free vulnerability can occur in the chrome event handler of Firefox before 67.0 when it is freed while still in use. This results in a...

A vulnerability where a JavaScript compartment mismatch can occur in Firefox before 67.0 and Thunderbird before 60.7.0, while working with the fetch API,...

In Firefox before 67.0 and Thunderbird before 60.7.0, images from a different domain can be read using a canvas object in some circumstances. This could be...

A possible vulnerability exists in Firefox before 67.0 and Thunderbird before 60.7.0, where type confusion can occur when manipulating JavaScript objects in...

Several memory safety bugs have been found in Firefox before 67.0. Some of these bugs showed evidence of memory corruption and Mozilla presumes that with...

An incorrect handling of __proto__ mutations may lead to type confusion in the IonMonkey JIT code of Firefox before 66.0.1 and Thunderbird before 60.6.1,...

In Firefox before 69.0, given a compromised sandboxed content process due to a separate vulnerability, it is possible to escape that sandbox by loading...

A sandbox escape has been found in Firefox before 68.0, by installing a malicious language pack and then opening a browser feature that used the compromised...

An incorrect alias information in the IonMonkey JIT compiler of Firefox before 66.0.1 and Thunderbird before 60.6.1 for the Array.prototype.slice method may...

If the source for resources on a page is through an FTP connection in Firefox before 66.0, it is possible to trigger a series of modal alert messages for...

If WebRTC permission is requested from documents with data: or blob: URLs in Firefox before 66.0, the permission notifications do not properly display the...

When arbitrary text is sent over an FTP connection and a page reload is initiated in Firefox before 66.0, it is possible to create a modal alert message...

A vulnerability exists in Firefox before 66.0 during authorization prompting for FTP transaction where successive modal prompts are displayed and cannot be...

A latent vulnerability exists in the Prio library in Firefox before 66.0 where data may be read from uninitialized memory for some functions, leading to...

The Upgrade-Insecure-Requests (UIR) specification states that if UIR is enabled through Content Security Policy (CSP), navigation to a same-origin URL must...

If a Sandbox content process is compromised in Firefox before 66.0, it can initiate an FTP download which will then use a child process to render the...

Several memory safety bugs have been found in Firefox before 67.0 and Thunderbird before 60.7.0. Some of these bugs showed evidence of memory corruption and...

Insufficient bounds checking of data during inter-process communication in Firefox before 66.0 might allow a compromised content process to be able to read...

Cross-origin images can be read in violation of the same-origin policy, in Firefox before 66.0, by exporting an image after using createImageBitmap to read...

A use-after-free vulnerability can occur in Firefox before 66.0 when the SMIL animation controller incorrectly registers with the refresh driver twice when...

A vulnerability has been found in Firefox before 66.0; where type- confusion in the IonMonkey just-in-time (JIT) compiler could potentially be used by...

A mechanism was discovered in Firefox before 66.0 that removes some bounds checking for string, array, or typed array accesses if Spectre mitigations have...

The IonMonkey just-in-time (JIT) compiler in Firefox before 66.0 can leak an internal JS_OPTIMIZED_OUT magic value to the running script during a bailout....

The type inference system in Firefox before 66.0 allows the compilation of functions that can cause type confusions between arbitrary objects when compiled...

A use-after-free vulnerability can occur in Firefox before 66.0 when a raw pointer to a DOM element on a page is obtained using JavaScript and the element...

Several memory safety bugs have been found in Firefox before 66.0. Some of these bugs showed evidence of memory corruption and Mozilla presumes that with...

Several memory safety bugs have been found in Firefox before 66.0. Some of these bugs showed evidence of memory corruption and Mozilla presumes that with...

png_image_free in png.c in libpng 1.6.36 has a use-after-free because png_image_free_function is called under png_safe_execute.

An out-of-bounds read vulnerability exists in the Skia graphics library shipped in Firefox before 69.0, allowing for the possible leaking of data from memory.

An integer overflow issue has been found in the Skia component of firefox before 65.0.1 and thunderbird before 60.5.1.

A cross-origin theft of images issue has been found in the ImageBitmapRenderingContext component of firefox 65.0, where cross- origin images can be read...

When proxy auto-detection is enabled in Firefox < 65.0, if a web server serves a Proxy Auto-Configuration (PAC) file or if a PAC file is loaded locally,...

A privilege escalation issue has been found in Firefox < 65.0. An earlier fix for an Inter-process Communication (IPC) vulnerability, CVE-2011-3079, added...

A memory corruption and out-of-bounds read have been found in Firefox < 65.0, that can occur when the buffer of a texture client is freed while it is still...

A memory corruption vulnerability has been found in the Audio Buffer component of Firefox < 65.0. When JavaScript is used to create and manipulate an audio...

Several memory safety bugs have been found in Firefox < 65.0. Some of these bugs showed evidence of memory corruption and Mozilla presumes that with enough...

Several memory safety bugs have been found in Firefox < 65.0. Some of these bugs showed evidence of memory corruption and Mozilla presumes that with enough...

A use-after-free vulnerability has been found in Firefox < 65.0, that can occur while parsing an HTML5 stream in concert with custom HTML elements. This...

A security issue has been found in Firefox < 64.0, where limitations on the URIs allowed to WebExtensions by the browser.windows.create API can be bypassed...

A security issue has been found in Firefox < 64.0, where WebExtension content scripts can be loaded into about: pages in some circumstances, in violation of...

A same-origin policy violation has been found in Firefox < 64.0, allowing the theft of cross-origin URL entries when using the Javascript location property...

A buffer overflow can occur in the Skia library use by Firefox < 64.0, during buffer offset calculations with hardware accelerated canvas 2D actions due to...

A use-after-free has been found in Firefox < 64.0, after deleting a selection element due to a weak reference to the select element in the options collection.

A use-after-free has been found in the Skia component of chromium before 71.0.3578.80 and firefox before 65.0.1 and thunderbird before 60.5.1.

A buffer overflow and out-of-bounds read has been found in the TextureStorage11 function of the Angle library, as used in the chromium browser before...

A buffer overflow has been found in the Angle library used for WebGL content by Firefox < 64.0, when drawing and validating elements with the VertexBuffer11 module.

Several memory safety bugs have been found in Firefox < 64.0. Some of these bugs showed evidence of memory corruption and Mozilla presumes that with enough...

Several memory safety bugs have been found in Firefox < 64.0. Some of these bugs showed evidence of memory corruption and Mozilla presumes that with enough...

A security issue has been found in Firefox versions prior to 63.0, where if a site is loaded over a HTTPS connection but loads a favicon resource over HTTP,...

A security issue has been found in Firefox versions prior to 63.0, where SameSite cookies are sent on cross-origin requests when the "Save Page As..." menu...

A security issue has been found in Firefox versions prior to 63.0, where some special resource URIs will cause a non-exploitable crash if loaded with...

A security issue has been found in Firefox versions prior to 63.0, where when a new protocol handler is registered, the API accepts a title argument which...

A security issue has been found in Firefox versions prior to 63.0, where it is possible to inject stylesheets and bypass Content Security Policy (CSP) by...

A security issue has been found in Firefox versions prior to 63.0, where a WebExtension can request access to local files without the warning prompt stating...

A security issue has been found in Firefox versions prior to 63.0, where a WebExtension can run content scripts in disallowed contexts following navigation...

A security issue has been found in Firefox versions prior to 63.0, where by rewriting the Host request headers using the webRequest API, a WebExtension can...

A security issue has been found in Firefox and Thunderbird versions prior to 63.0. When manipulating user events in nested loops while opening a document...

Several memory safety bugs have been found in Firefox and Thunderbird versions prior to 63.0. Some of these bugs showed evidence of memory corruption and...

Several memory safety bugs have been found in Firefox versions prior to 63.0. Some of these bugs showed evidence of memory corruption and Mozilla engineers...

A vulnerability has been found in Firefox before 62.0.3 where the JavaScript JIT compiler inlines Array.prototype.push with multiple arguments that results...

A vulnerability has been found in Firefox before 62.0.3 in register allocation in JavaScript can lead to type confusion, allowing for an arbitrary read and...

An integer overflow vulnerability has been found in the Skia library shipped with Firefox before 61.0  and Thunderbird before 60.0, when allocating memory...

In the Reader View of Firefox before 61.0, SameSite cookie protections are not checked on exiting. This allows for a payload to be triggered when Reader...

WebExtensions bundled with embedded experiments were not correctly checked for proper authorization before Firefox 61.0. This allowed a malicious...

A security issue has been found in Firefox before 61.0 and Thunderbird before 60.0. In the previous mitigations for Spectre, the resolution or precision of...

An invalid grid size during QCMS (color profile) transformations can result in the out-of-bounds read interpreted as a float value, in Firefox before 61.0...

A security issue has been found in Firefox before 61.0 and Thunderbird before 52.9 where a compromised IPC child process can escape the content sandbox and...

A security issue has been found in Firefox before 61.0 and Thunderbird before 52.9, where NPAPI plugins, such as Adobe Flash, can send non- simple...

A use-after-free vulnerability can occur in Firefox before 61.0 and Thunderbird before 52.9 when script uses mutation events to move DOM nodes between...

An integer overflow can occur in Firefox before 61.0 and Thunderbird before 52.9 during graphics operations done by the Supplemental Streaming SIMD...

An integer overflow can occur in Firefox before 61.0 and Thunderbird before 60.0 in the SwizzleData code while calculating buffer sizes. The overflowed...

A use-after-free vulnerability can occur in Firefox before 61.0 and Thunderbird before 52.9 when deleting an input element during a mutation event handler...

A buffer overflow can occur in Firefox before 61.0 and Thunderbird before 52.9 when rendering canvas content while adjusting the height and width of the...

Service workers in Firefox before 61.0 can use redirection to avoid the tainting of cross-origin resources in some instances, allowing a malicious site to...

An issue was discovered in password-store.sh in pass in Simple Password Store 1.7 through 1.7.1. The signature verification routine parses the output of...

A heap-based buffer overflow has been found in Firefox before 70.0, where an incorrect derivation of a packet length in WebRTC caused heap corruption via a...

A heap-based buffer overflow has been found in the Skia component of the Firefox browser before 60.0.2, when rasterizing paths using a maliciously crafted...

Several memory safety bugs have been found in Firefox before 61.0 and Thunderbird before 52.9. Some of these bugs showed evidence of memory corruption and...

Several memory safety bugs have been found in Firefox before 61.0 and Thunderbird before 60.0. Some of these bugs showed evidence of memory corruption and...

Several memory safety bugs have been found in Firefox before 61.0. Some of these bugs showed evidence of memory corruption and Mozilla presumes that with...

If a text string that happens to be a filename in the operating system's native format is dragged and dropped onto the address bar of Firefox before 60.0,...

If a URL using the file: protocol is dragged and dropped onto an open tab of Firefox before 60.0 that is running in a different child process the tab will...

A use-after-free vulnerability can occur during WebGL operations in Firefox before 60.0. While this results in a potentially exploitable crash, the...

A vulnerability exists in the XSLT component of Firefox before 60.0, during number formatting where a negative buffer size may be allocated in some...

The JSON Viewer in Firefox before 60.0 displays clickable hyperlinks for strings that are parseable as URLs, including javascript: links. If a JSON file...

A mechanism to bypass Content Security Policy (CSP) protections on sites that have a script-src policy of 'strict-dynamic' has been found in Firefox < 60.0....

The filename appearing in the Downloads panel in Firefox before 60.0 improperly renders some Unicode characters, allowing for the file name to be spoofed....

The Live Bookmarks page and the PDF viewer in Firefox before 60.0 can run injected script content if a user pastes script from the clipboard into them while...

If manipulated hyperlinked text with chrome: URL contained in it is dragged and dropped on the "home" icon in Firefox before 60.0, the home page can be...

Sites can bypass security checks on permissions to install lightweight themes in Firefox before 60.0 and Thunderbird before 52.8, by manipulating the...

The web console and JavaScript debugger in Firefox < 6.0.0 do not sanitize all output that can be hyperlinked. Both will display chrome: links as active,...

WebExtensions in Firefox before 60.0 can use request redirection and a filterReponseData filter to bypass host permission settings to redirect network...

A Content Security Policy (CSP) bypass has been found in Firefox < 60.0, where the CSP is not applied correctly to all parts of multipart content sent with...

A sandbox escape vulnerability has been found in Firefox < 60.0. If a malicious attacker has used another vulnerability to gain full control over a content...

A uninitialized memory use vulnerability has been found in the WebRTC component of Firefox < 60.0, which can use a WrappedI420Buffer pixel buffer whose...

An integer overflow vulnerability has been found in the Skia library used in Firefox < 60.0 and Thunderbird < 52.8, due to 32-bit integer use in an array...

A insufficient sanitization of Postscript calculator functions vulnerability has been found in the PDF viewer of Firefox < 60.0, allowing malicious...

A same-origin policy bypass vulnerability has been found in the PDF viewer of Firefox < 60.0,  allowing a malicious site to intercept messages meant for the...

A use-after-free vulnerability has been found in Firefox < 60.0 and Thunderbird < 52.8, while adjusting layout during SVG animations with text paths.

A use-after-free vulnerability has been found in Firefox < 60.0 and Thunderbird < 52.8, while enumerating attributes during SVG animations with clip paths.

An information disclosure vulnerability has been found in Firefox < 60.0. If websocket data is sent with mixed text and binary in a single message, the...

An information disclosure vulnerability has been found in Firefox < 60.0. WebExtensions with the appropriate permissions can attach content scripts to...

Several memory safety bugs has been found in Firefox before 60.0. Some of these bugs showed evidence of memory corruption and Mozilla presumes that with...

Several memory safety bugs have been found in Firefox before 60.0 and Thunderbird before 52.8. Some of these bugs showed evidence of memory corruption and...

An out of bounds memory write vulnerability has been discovered in libtremor while processing Vorbis audio data related to codebooks that are not an exact...

An out of bounds memory write vulnerability has been discovered in libvorbis before 1.3.6 while processing Vorbis audio data related to codebooks that are...

If a document’s Referrer Policy attribute is set to "no-referrer" sometimes two network requests are made for <link> elements instead of one in Firefox...

JavaScript can be injected into an exported bookmarks file by placing JavaScript code into user-supplied tags in saved bookmarks in Firefox before 57.0. If...

Control characters prepended before javascript: URLs pasted in the addressbar in Firefox before 57.0 can cause the leading characters to be ignored and the...

Punycode format text in Firefox before 57.0 will be displayed for entire qualified international domain names in some instances when a sub-domain triggers...

SVG loaded through <img> tags in Firefox before 57.0 can use <meta> tags within the SVG data to set cookies for that page.

The "pingsender" executable used by the Firefox Health Report before 57.0 dynamically loads a system copy of libcurl, which an attacker could replace. This...

Mixed content blocking of insecure (HTTP) sub-resources in a secure (HTTPS) document was not correctly applied for resources that redirect from HTTPS to...

A data: URL loaded in a new tab of Firefox before 57.0 did not inherit the Content Security Policy (CSP) of the original page, allowing for bypasses of the...

Some Arabic and Indic vowel marker characters can be combined with Latin characters in a domain name to eclipse the non-Latin character with some font sets...

The combined, single character, version of the letter 'i' with any of the potential accents in unicode, such as acute or grave, can be spoofed in the...

A vulnerability has been found in Firefox before 57.0  where the security wrapper does not deny access to some exposed properties using the deprecated...

The Resource Timing API in Firefox before 57.0 and Thunderbird before 52.5 incorrectly revealed navigations in cross-origin iframes. This is a same-origin...

A use-after-free vulnerability can occur in Firefox before 57.0 and Thunderbird before 52.5 when flushing and resizing layout because the PressShell object...

Several memory safety bugs have been found in Firefox before 57.0. Some of these bugs showed evidence of memory corruption and with enough effort some of...

Several reported memory safety bugs have been found in Firefox before 57.0 and Thunderbird before 52.5. Some of these bugs showed evidence of memory...

A use-after-free issue has been found in firefox < 55.0 and thunderbird < 52.3, when an editor DOM node is deleted prematurely during tree traversal while...

A CSP information leak has been found in Firefox < 55.0. A content security policy (CSP) frame-ancestors directive containing origins with paths allows for...

A domain hijacking flaw has been found in firefox < 55.0 and thunderbird < 52.3. A mechanism that uses AppCache to hijack a URL in a domain using fallback...

A use-after-free vulnerability has been found in Firefox < 55.0, when the layer manager is freed too early when rendering specific SVG content, resulting in...

A security issue has been found in firefox < 55.0 and thunderbird < 52.3. When a page’s content security policy (CSP) header contains a sandbox directive,...

A use-after-free vulnerability has been found in firefox < 55.0 and thunderbird < 52.3, when manipulating the DOM during the resize event of an image...

A use-after-free issue has been found in firefox < 55.0 and thunderbird < 52.3, while re-computing layout for a marquee element during window resizing where...

A use-after-free issue has been found in firefox < 55.0 and thunderbird < 52.3, in WebSockets, when the object holding the connection is freed before the...

A security issue has been found in Firefox < 55.0. JavaScript in the about:webrtc page is not sanitized properly being being assigned to innerHTML. Data on...

A XUL injection has been found in Firefox < 55.0, in the style editor in devtools. The Developer Tools feature suffers from a XUL injection vulnerability...

A security issue has been found in Firefox <55.0. Response header name interning does not have same-origin protections and these headers are stored in a...

A security issue has been found in Firefox < 55.0. On Linux systems, if the content process is compromised, the sandbox broker will allow files to be...

A buffer overflow has been found in firefox < 55.0 and thunderbird < 52.3, when viewing a certificate in the certificate manager if the certificate has an...

A content spoofing issue has been found in firefox < 55.0 and thunderbird < 52.3. On pages containing an iframe, the data: protocol can be used to create a...

A security issue has been found in Firefox < 55.0. If a server sends two Strict-Transport-Security (STS) headers for a single connection, they will be...

A security issue has been found in Firefox < 55.0. When an iframe has a sandbox attribute and its content is specified using srcdoc, that content does not...

Same-origin policy protections can be bypassed in firefox < 55.0 and thunderbird < 52.3, on pages with embedded iframes during page reloads, allowing the...

A buffer overflow has been found in firefox < 55.0 and thunderbird < 52.3, when the image renderer attempts to paint non-displayable SVG elements. This...

A buffer overflow has been found in firefox < 55.0 and thunderbird < 52.3, when manipulating Accessible Rich Internet Applications (ARIA) attributes within...

A use-after-free issue has been found in firefox < 55.0 and thunderbird < 52.3, when reading an image observer during frame reconstruction after the...

A denial of service has been found in Firefox < 55.0. If a long user name is used in a username/password combination in a site URL (such as...

An elliptic curve point addition error has been found in Firefox < 55.0. An error occurs in the elliptic curve point addition algorithm that uses mixed...

Several memory safety bugs have been found in Firefox < 55.0. Some of these bugs showed evidence of memory corruption and we presume that with enough effort...

Several memory safety bugs have been found in firefox < 55.0 and thunderbird < 52.3. Some of these bugs showed evidence of memory corruption and we presume...

An out-of-bounds write has been found in the Graphite 2 library used in Firefox < 54.0 and Thunderbird < 52.2, in lz4::decompress.

An use of initialized memory has been found in the Graphite 2 library used in Firefox < 54.0 and Thunderbird < 52.2, in GlyphCache::Loader::read_glyph.

A heap-buffer-overflow read has been found in the Graphite 2 library used in Firefox < 54.0 and Thunderbird < 52.2, in Silf::getClassGlyph.

An assertion failure has been found in the Graphite 2 library used in Firefox < 54.0 and Thunderbird < 52.2.

An out-of-bounds read has been found in the Graphite 2 library used in Firefox < 54.0 and Thunderbird < 52.2, in Silf::readGraphite.

A heap-buffer-overflow write has been found in the Graphite 2 library used in Firefox < 54.0 and Thunderbird < 52.2, in lz4::decompress.

A heap-buffer-overflow write has been found in the Graphite 2 library used in Firefox < 54.0 and Thunderbird < 52.2, in lz4::decompress.

An out-of-bounds read has been found in the Graphite 2 library used in Firefox < 54.0 and Thunderbird < 52.2, in Pass::readPass.

A security issue has been found in Firefox < 54.0 and Thunderbird < 52.2, where characters from the "Canadian Syllabics" unicode block can be mixed with...

A security issue has been found in Firefox < 54.0. When entered directly, Reader Mode did not strip the username and password section of URLs displayed in...

An out-of-bounds read vulnerability has been found in Firefox < 54.0 and Thunderbird < 52.2, with the Opus encoder when the number of channels in an audio...

A use after-free vulnerability has been found in Firefox < 54.0 and Thunderbird < 52.2, in IndexedDB when one of its objects is destroyed in memory while a...

A use after-free and use-after-scope vulnerability has been found in Firefox < 54.0 and Thunderbird < 52.2, when logging errors from headers for XML HTTP...

An out-of-bounds read has been found in Firefox < 54.0 and Thunderbird < 52.2, with a maliciously crafted ImageInfo object during WebGL operations.

An out-of-bounds read  has been found in firefox < 55.0 and thunderbird < 52.3, when applying style rules to pseudo-elements, such as ::first-line, using...

A use-after-free has been found in Firefox < 54.0 and Thunderbird < 52.2, during specific user interactions with the input method editor (IME) in some...

A use-after-free has been found in Firefox < 54.0 and Thunderbird < 52.2, in content viewer listeners.

A use-after-free has been found in Firefox < 54.0 and Thunderbird < 52.2, during video control operations when a <track> element holds a reference to an...

A user-after-free has been found in Firefox < 54.0 and Thunderbird < 52.2, when using an incorrect URL during the reloading of a docshell.

A use-after-free vulnerability has been found in Firefox < 54.0 and Thunderbird < 52.2, in the frameloader during tree reconstruction while regenerating CSS...

Several memory safety issues leading to arbitrary code execution have been found in Firefox < 54.0.

Several memory safety issues leading to arbitrary code execution have been found in Firefox < 54.0 and Thunderbird < 52.2.

Several potential buffer overflows in generated code, due to the CVE-2016-6354 issue in Flex, have been fixed in Firefox 53.

An issue with incorrect ownership model of privateBrowsing information exposed through developer tools has been found in Firefox < 53. This can result in a...

A potential memory corruption and crash has been found in Firefox < 53, when using Skia content when drawing content outside of the bounds of a clipping region.

An origin confusion issue has been found in Firefox < 53. If a page is loaded from an original site through a hyperlink and contains a redirect to a...

An out-of-bounds read has been found in Firefox < 53, while processing SVG content in ConvolvePixel. This results in a crash and also allows for otherwise...

A security issue has been found in Firefox < 53. During DOM manipulations of the accessibility tree through script, the DOM tree can become out of sync with...

An out-of-bounds write during Base64 decoding operation has been found in the Network Security Services (NSS) library due to insufficient memory being...

A use-after-free vulnerability has been found in Firefox < 53. It's located in frame selection, triggered by a combination of malicious script content and...

A buffer overflow has been found in the WebGL part of Firefox < 53. It's triggerable by web content, resulting in a potentially exploitable crash.

An issue has been found in Firefox < 53. When a javascript: URL is drag and dropped by a user into the addressbar, the URL will be processed and executed....

A security issue has been found in Firefox < 53, allowing to bypass file system access protections in the sandbox using the file system request constructor...

A security issue has been found in Firefox < 53. The internal feed reader APIs that crossed the sandbox barrier allowed for a sandbox escape and escalation...

A security issue has been found in Firefox < 53, allowing to bypass file system access protections in the sandbox to use the file picker to access different...

A security issue has been found in Firefox < 53, allowing to inject static HTML into the RSS reader preview page due to a failure to escape characters sent...

A security issue has been found in Firefox < 53, allowing to spoof the addressbar through the user interaction on the addressbar and the onblur event. The...

A possibly exploitable crash has been found in Firefox < 53, triggered during layout and manipulation of bidirectional unicode text in concert with CSS animations.

A security issue has been found in Firefox < 53, an out-of-bounds write in ClearKeyDecryptor while decrypting some Clearkey-encrypted media content. The...

An out-of-bounds read has been found in Firefox < 53, during the processing of glyph widths while rendering text layout. This results in a potentially...

An out-of-bounds read has been found in Firefox < 53, when an HTTP/2 connection to a servers sends DATA frames with incorrect data content. This leads to a...

A vulnerability has been found in Firefox < 53, while parsing application/http-index-format format content where uninitialized values are used to create an...

A buffer overflow vulnerability has been found in Firefox < 53, while parsing application/http-index-format format content when the header contains...

An out-of-bounds write vulnerability has been found in Firefox < 53, while decoding improperly formed BinHex format archives.

A use-after-free vulnerability during changes in style when manipulating DOM elements has been found in Firefox < 53. This results in a potentially...

A use-after-free vulnerability when holding a selection during scroll events has been found in Firefox < 53. This results in a potentially exploitable crash.

A use-after-free vulnerability has been found in Firefox < 53, during XSLT processing due to a failure to propagate error conditions during matching while...

A use-after-free vulnerability has been found in Firefox < 53, during XSLT processing due to poor handling of template parameters. This results in a...

A use-after-free vulnerability has been found in Firefox < 53, during XSLT processing due to the result handler being held by a freed handler during...

Three vulnerabilities were reported in the Libevent library that allow for out-of-bounds reads and denial of service (DoS) attacks: CVE-2016-10195,...

An out-of-bounds write has been found in the Graphite 2 library, triggered with a maliciously crafted Graphite font. This results in a potentially...

A use-after-free vulnerability has been found in Firefox < 53. It occurs during transaction processing in the editor during design mode interactions and...

A use-after-free vulnerability has been found in Firefox < 53. It occurs when redirecting focus handling and results in a potentially exploitable crash.

A use-after-free vulnerability has been found in Firefox < 53, It occurs in SMIL animation functions when pointers to animation elements in an array are...

A use-after-free vulnerability has been found in Firefox < 53. It occurs during certain text input selection and results in a potentially exploitable crash.

Mozilla developers and community members Christian Holler, Jon Coppeard, Milan Sreckovic, Tyson Smith, Ronald Crane, Randell Jesup, Philipp, Tooru Fujisawa,...

Mozilla developers and community members Christian Holler, Jon Coppeard, Marcia Knous, David Baron, Mats Palmgren, Ronald Crane, Bob Clary, and Chris...

An integer overflow in createImageBitmap() was reported through the Pwn2Own contest. The fix for this vulnerability disables the experimental extensions to...

A non-existent chrome.manifest file will attempt to be loaded during startup from the primary installation directory. If a malicious user with local access...

On Linux, if the secure computing mode BPF (seccomp-bpf) filter is running when the Gecko Media Plugin sandbox is started, the sandbox fails to be applied...

If a malicious site uses the view-source: protocol in a series within a single hyperlink, it can trigger a non-exploitable browser crash when the hyperlink...

A malicious site could spoof the contents of the print preview window if popup windows are enabled, resulting in user confusion of what site is currently loaded.

A javascript: url loaded by a malicious page can obfuscate its location by blanking the URL displayed in the address bar, allowing for an attacker to spoof...

If a malicious site repeatedly triggers a modal authentication prompt, eventually the browser UI will become non-responsive, requiring shutdown through the...

An out of bounds read error occurs when parsing some HTTP digest authorization responses, resulting in information leakage through the reading of random...

When dragging content from the primary browser pane to the address bar on a malicious site, it is possible to change the address bar so that the displayed...

In certain circumstances a networking event listener can be prematurely released. This appears to result in a null dereference in practice.

An attack can use a blob URL and script to spoof an arbitrary address bar URL prefaced by blob: as the protocol, leading to user confusion and further...

The file picker dialog can choose and display the wrong local default directory when instantiated. On some operating systems, this can lead to information...

A segmentation fault can occur during some bidirectional layout operations.

A buffer overflow read during SVG filter color value operations, resulting in data exposure.

Memory corruption resulting in a potentially exploitable crash during garbage collection of JavaScript due errors in how incremental sweeping is managed for...

Video files loaded video captions cross-origin without checking for the presence of CORS headers permitting such cross-origin use, leading to potential...

Using SVG filters that don't use the fixed point math implementation on a target iframe, a malicious page can extract pixel values from a targeted user....

A segmentation fault can occur in the Skia graphics library during some canvas operations due to issues with mask/clip intersection and empty masks.

Certain response codes in FTP connections can result in the use of uninitialized values for ports in FTP operations.

A use-after-free error can occur when manipulating ranges in selections with one node inside a native anonymous tree and one node outside of it. This...

When adding a range to an object in the DOM, it is possible to use addRange to add the range to an incorrect root object. This triggers a use-after-free,...

A use-after-free can occur when events are fired for a FontFace object after the object has been already been destroyed while working with fonts.

A crash triggerable by web content in which an ErrorResult references unassigned memory due to a logic error.

JIT-spray targeting asm.js combined with a heap spray allows for a bypass of ASLR and DEP protections leading to potential memory corruption attacks.

Several memory safety bugs, some of them leading to memory corruption issues have been found in Firefox < 52.

Several memory safety bugs, some of them leading to memory corruption issues have been found in Firefox < 52 and Thunderbird < 45.8.

A use-after-free vulnerability has been found in the Media Decoder of Firefox < 51 and Thunderbird < 45.7, when working with media files when some events...

The mozAddonManager in Firefox < 51 allows for the installation of extensions from the CDN for addons.mozilla.org, a publicly accessible site. This could...

In Firefox < 51, special about: pages used by web content, such as RSS feeds, can load privileged about: pages in an iframe. If a content- injection bug...

The JSON viewer in the Developer Tools in Firefox < 51 and Thunderbird < 45.7 uses insecure methods to create a communication channel for copying and...

WebExtensions in Firefox < 51 could use the mozAddonManager API by modifying the CSP headers on sites with the appropriate permissions and then using host...

In Firefox < 51, a STUN server in conjunction with a large number of webkitRTCPeerConnection objects can be used to send large STUN packets in a short...

The existence of a specifically requested local file can be found in Firefox < 51 due to the double firing of the onerror when the source attribute on a...

WebExtension scripts in Firefox < 51 can use the data: protocol to affect pages loaded by other web extensions using this protocol, leading to potential...

In Firefox < 51, data sent with in multipart channels, such as the multipart/x-mixed-replace MIME type, will ignore the referrer-policy response header,...

Proxy Auto-Config (PAC) files in Firefox < 51 can specify a JavaScript function called for all URL requests with the full URL path which exposes more...

URLs containing certain unicode glyphs for alternative hyphens and quotes do not properly trigger punycode display in Firefox < 51 and Thunderbird < 45.7,...

Feed preview for RSS feeds in Firefox < 51 can be used to capture errors and exceptions generated by privileged content, allowing for the exposure of...

The "export" function in the Firefox < 51 Certificate Viewer can force local filesystem navigation when the "common name" in a certificate contains slashes,...

A potential use-after-free vulnerability during DOM manipulation of SVG content has been in Firefox < 51 and Thunderbird < 45.7.

A use-after-free vulnerability has been found in Firefox < 51, in Web Animations, when interacting with cycle collection.

An information disclosure vulnerability has been found in Firefox < 51 and Thunderbird < 45.7, where hashed codes of JavaScript objects are shared between...

A memory corruption vulnerability in Skia that can occur when using transforms to make gradients, resulting in a potentially exploitable crash.

A use-after-free vulnerability has been found in Firefox < 51 and Thunderbird < 45.7, while manipulating XSL in XSLT documents.

JIT code allocation in Firefox < 51 and Thunderbird < 45.7 can allow for a bypass of ASLR and DEP protections leading to potential memory corruption attacks.

Several memory safety bugs have been found in Firefox < 51. Some of these bugs showed evidence of memory corruption and we presume that with enough effort...

Several memory safety bugs have been found in Firefox < 51 and Thunderbird < 47.5. Some of these bugs showed evidence of memory corruption and we presume...

An attacker could use a JavaScript Map/Set timing attack to determine whether an atom is used by another compartment/zone in specific contexts. This could...

Mozilla's add-ons SDK had a world-accessible resource with an HTML injection vulnerability. If an additional vulnerability allowed this resource to be...

The Pocket toolbar button, once activated, listens for events fired from it's own pages but does not verify the origin of incoming events. This allows...

HTML tags received from the Pocket server will be processed without sanitization and any JavaScript code executed will be run in the about:pocket-saved...

External resources that should be blocked when loaded by SVG images can bypass security restrictions through the use of data: URLs. This could allow for...

Use-after-free while manipulating DOM events and removing audio elements due to errors in the handling of node adoption.

Use-after-free resulting in potentially exploitable crash when manipulating DOM subtrees in the Editor.

Memory corruption resulting in a potentially exploitable crash during WebGL functions using a vector constructor with a varying array within libGLES.

Use-after-free while manipulating the navigator object within WebVR. Note: WebVR is not currently enabled by default.

Event handlers on marquee elements were executed despite a strict Content Security Policy (CSP) that disallowed inline JavaScript.

A buffer overflow in SkiaGl caused when a GrGLBuffer is truncated during allocation. Later writers will overflow the buffer, resulting in a potentially...

Mozilla developers and community members Jan de Mooij, Iris Hsiao, Christian Holler, Carsten Book, Timothy Nikkel, Christoph Diehl, Olli Pettay, Raymond...

Mozilla developers and community members Kan-Ru Chen, Christian Holler, and Tyson Smith reported memory safety bugs present in Firefox 50.0.2. Some of these...

A use-after-free vulnerability has been discovered in the SVG Animation component of Firefox, leading to arbitrary code execution.

Redirection from an HTTP connection to a data: URL assigns the referring site's origin to the data: URL in some circumstances. This can result in...

Canvas allows the use of the feDisplacementMap filter on images loaded cross-origin. The rendering by the filter is variable depending on the input pixel,...

An issue where a <select> dropdown menu can be used to cover location bar content, resulting in potential spoofing attacks. This attack requires e10s to be...

An issue where WebExtensions can use the mozAddonManager API to elevate privilege due to privileged pages being allowed in the permissions list. This allows...

WebExtensions can bypass security checks to load privileged URLs and potentially escape the WebExtension sandbox.

Content Security Policy combined with HTTP to HTTPS redirection can be used by malicious server to verify whether a known site is within a user's browser history.

A maliciously crafted page loaded to the sidebar through a bookmark can reference a privileged chrome window and engage in limited JavaScript operations...

A heap-use-after-free in nsRefreshDriver during web animations when working with timelines resulting in a potentially exploitable crash.

Two heap-use-after-free errors during DOM operations in nsINode::ReplaceOrInsertBefore resulting in potentially exploitable crashes.

A buffer overflow resulting in a potentially exploitable crash due to memory allocation issues when handling large amounts of incoming data.

Add-on updates failed to verify that the add-on ID inside the signed package matched the ID of the add-on being updated. An attacker who could perform a...

An integer overflow vulnerability has been discovered during the parsing of XML using the Expat library.