Security Vulnerabilities fixed in Firefox 120 — Mozilla

Firefox 120 fixed several high-impact security vulnerabilities including out-of-bound memory access, use-after-free issues, Clickjacking exploits, and memory safety bugs.

Key Takeaways:

  • Firefox 120 addressed high-impact vulnerabilities such as out-of-bound memory access in WebGL2, use-after-free in various components, Clickjacking exploits, and memory safety bugs.
  • Reports came from security researchers and developers, highlighting the collaborative nature of bug identification and resolution.
  • The vulnerabilities ranged from high to low impact, affecting various aspects of Firefox’s functionality and security measures.

In the latest update, Firefox 120 fixes several security vulnerabilities. One of these is CVE-2023-6204, concerning an out-of-bound memory access in WebGL2 blitFramebuffer. This issue allowed the leaking of memory data into canvas element images under certain graphics settings and drivers.

Another problem, CVE-2023-6205, involved a use-after-free in MessagePort::Entangled, which could have led to an exploitable crash. Additionally, CVE-2023-6206 detailed a clickjacking vulnerability related to permission prompts during fullscreen transition. There was also a use-after-free vulnerability in ReadableByteStreamQueueEntry::Buffer, logged as CVE-2023-6207.

Firefox 120 also addressed issues like copying contents into X11 primary selection (CVE-2023-6208), incorrect parsing of URLs starting with “///” (CVE-2023-6209), mixed-content resources not being blocked in a javascript: pop-up (CVE-2023-6210), and clickjacking to load insecure pages in HTTPS-only mode (CVE-2023-6211).

Additionally, Firefox 120 resolved memory safety bugs impacting Firefox 119, Firefox ESR 115.4, and Thunderbird 115.4, as recorded under CVE-2023-6212 and CVE-2023-6213.

Source:
https://www.mozilla.org/en-US/security/advisories/mfsa2023-49/