Mozilla released Firefox 96 that addressed 18 security vulnerabilities in its web browser and the Thunderbird mail program. Nine vulnerabilities addressed by the new release are rated high-severity, the most severe one is a race condition issue tracked as CVE-2022-22746.
“A race condition could have allowed bypassing the fullscreen notification which could have lead to a fullscreen window spoof being unnoticed.” reads the advisory published by Mozilla.
The vulnerability only impacts Firefox for Windows operating systems.
An attacker can exploit the vulnerability to bypass the full-screen notification on Windows machines. Another important issue fixed by Mozilla is a fullscreen spoof in the Firefox browser window tracked as CVE-2022-22743. The vulnerability can allow an attacker-controlled tab to prevent the browser from leaving fullscreen mode when the user navigates from inside an iframe.
Another issue fixed by the organization is a bug that prevents a popup window from leaving fullscreen mode when resizing the popup while setting fullscreen mode.
Another issue fixed by Mozilla is an out-of-bounds memory access leading to a potentially exploitable crash, the flaw has been tracked as CVE-2022-22742.
“When inserting text while in edit mode, some characters might have lead to out-of-bounds memory access causing a potentially exploitable crash.” continues the advisory.
The above vulnerabilities were discovered by the researchers Irvan Kurniawan.
Firefox 96 also addressed a heap-buffer overflow tracked as CVE-2022-22738. Applying a CSS filter effect could have accessed out-of-bounds memory, which could lead to a heap-buffer-overflow causing a potentially exploitable crash.
Other high-risk flaws fixed with the latest Firefox release include two use-after-free flaws, tracked as CVE-2022-22740 and CVE-2022-22737 respectively, and an iframe sandbox bypass using XSLT tracked as CVE-2021-4140.
The organization fixed six medium severity in issue in Firefox, including a sandbox escape and the lack of URL restrictions when scanning QR codes in Firefox for Android.
The open-source organization also fixed a series of memory safety bugs fixed in Firefox 96 and Firefox ESR 91.5 and Thunderbird 91.5 (CVE-2022-22751).
(SecurityAffairs – hacking, Mozilla)