Mozilla recently announced the release of Firefox 116, Firefox ESR 115.1, and Firefox ESR 102.14, which include patches for multiple high-severity vulnerabilities. Mozilla lists 14 CVEs in its advisory, nine of which are rated high severity. Three of the CVEs refer to memory safety bugs in Firefox. The first of the high-severity flaws tracked as CVE-2023-4045 is described as a cross-origin restrictions bypass in Offscreen Canvas, which failed to properly track cross-origin tainting. Mozilla noted that the issue can allow web pages to view images displayed in a page from a different site. Browsers include a same-origin policy that prevents HTML and JavaScript code originating on a website from accessing content on other sites. The second high-severity issue that Firefox 116 patches is CVE-2023-4046, which is described as the use of an incorrect value during WASM compilation. Mozilla noted that in some circumstances, a stale value could have been used for a global variable in WASM JIT analysis. This resulted in incorrect compilation and a potentially exploitable crash in the content process. Mozilla noted that the browser update also resolves CVE-2023-4047, a permission request bypass via clickjacking. A page could trick users into clicking on a carefully placed item but instead, register the input as a click on a security dialog that was not displayed to the user. The three other high-severity vulnerabilities that Firefox 116 resolves include CVE-2023-4048 (an out-of-bounds read flaw causing DOMParser to crash when deconstructing a crafted HTML file), CVE-2023-4049 (race conditions leading to potentially exploitable use-after-free vulnerabilities), and CVE-2023-4050 (stack buffer overflow in StorageManager potentially leading to a sandbox escape). Tracked as CVE-2023-4056, CVE-2023-4057, and CVE-2023-4058, Mozilla noted that the memory safety bugs resolved in Firefox 116 could have led to arbitrary code execution. Most of these high-severity issues, Mozilla says, also impact Firefox extended support and Thunderbird and were addressed in Firefox ESR 115.1, Firefox ESR 102.14, Thunderbird 115.1, and Thunderbird 102.14. Mozilla makes no mention of any of these vulnerabilities being exploited in attacks.
SecurityWeek reports: "Firefox 116 Patches High-Severity Vulnerabilities"