Mozilla Firefox vulnerabilities

CVE-2022-45415 [HIGH] CWE-434 CVE-2022-45415: When downloading an HTML file, if the title of the page was formatted as a filename with a malicious When downloading an HTML file, if the title of the page was formatted as a filename with a malicious extension, Firefox may have saved the file with that extension, leading to possible system compromise if the downloaded file was later ran. This vulnerability affects Firefox < 107.

CVE-2022-46879 [HIGH] CWE-787 CVE-2022-46879: Mozilla developers and community members Lukas Bernhard, Gabriele Svelto, Randell Jesup, and the Moz Mozilla developers and community members Lukas Bernhard, Gabriele Svelto, Randell Jesup, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 107. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affect

CVE-2022-22736 [HIGH] CWE-427 CVE-2022-22736: If Firefox was installed to a world-writable directory, a local privilege escalation could occur whe If Firefox was installed to a world-writable directory, a local privilege escalation could occur when Firefox searched the current directory for system libraries. However the install directory is not world-writable by default.*This bug only affects Firefox for Windows in a non-default installation. Other operating systems are unaffected.*. This vulner

CVE-2022-45405 [MEDIUM] CWE-416 CVE-2022-45405: Freeing arbitrary <code>nsIInputStream</code>'s on a different thread than creation could have led t Freeing arbitrary nsIInputStream's on a different thread than creation could have led to a use-after-free and potentially exploitable crash. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.

CVE-2022-38475 [MEDIUM] CWE-863 CVE-2022-38475: An attacker could have written a value to the first element in a zero-length JavaScript array. Altho An attacker could have written a value to the first element in a zero-length JavaScript array. Although the array was zero-length, the value was not written to an invalid memory address. This vulnerability affects Firefox < 104.

CVE-2022-22757 [MEDIUM] CWE-346 CVE-2022-22757: Remote Agent, used in WebDriver, did not validate the Host or Origin headers. This could have allowe Remote Agent, used in WebDriver, did not validate the Host or Origin headers. This could have allowed websites to connect back locally to the user's browser to control it. *This bug only affected Firefox when WebDriver was enabled, which is not the default configuration.*. This vulnerability affects Firefox < 97.

CVE-2022-40956 [MEDIUM] CWE-79 CVE-2022-40956: When injecting an HTML base element, some requests would ignore the CSP's base-uri settings and acce When injecting an HTML base element, some requests would ignore the CSP's base-uri settings and accept the injected element's base instead. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105.

CVE-2022-1097 [MEDIUM] CWE-416 CVE-2022-1097: <code>NSSToken</code> objects were referenced via direct points, and could have been accessed in an NSSToken objects were referenced via direct points, and could have been accessed in an unsafe way on different threads, leading to a use-after-free and potentially exploitable crash. This vulnerability affects Thunderbird < 91.8, Firefox < 99, and Firefox ESR < 91.8.

CVE-2022-29916 [MEDIUM] CWE-200 CVE-2022-29916: Firefox behaved slightly differently for already known resources when loading CSS resources involvin Firefox behaved slightly differently for already known resources when loading CSS resources involving CSS variables. This could have been used to probe the browser history. This vulnerability affects Thunderbird < 91.9, Firefox ESR < 91.9, and Firefox < 100.

CVE-2022-45410 [MEDIUM] CWE-862 CVE-2022-45410: When a ServiceWorker intercepted a request with <code>FetchEvent</code>, the origin of the request w When a ServiceWorker intercepted a request with FetchEvent, the origin of the request was lost after the ServiceWorker took ownership of it. This had the effect of negating SameSite cookie protections. This was addressed in the spec and then in browsers. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.

CVE-2022-29914 [MEDIUM] CWE-1021 CVE-2022-29914: When reusing existing popups Firefox would have allowed them to cover the fullscreen notification UI When reusing existing popups Firefox would have allowed them to cover the fullscreen notification UI, which could have enabled browser spoofing attacks. This vulnerability affects Thunderbird < 91.9, Firefox ESR < 91.9, and Firefox < 100.

CVE-2022-36318 [MEDIUM] CWE-362 CVE-2022-36318: When visiting directory listings for `chrome://` URLs as source text, some parameters were reflected When visiting directory listings for `chrome://` URLs as source text, some parameters were reflected. This vulnerability affects Firefox ESR < 102.1, Firefox ESR < 91.12, Firefox < 103, Thunderbird < 102.1, and Thunderbird < 91.12.

CVE-2022-45417 [MEDIUM] CWE-1021 CVE-2022-45417: Service Workers did not detect Private Browsing Mode correctly in all cases, which could have led to Service Workers did not detect Private Browsing Mode correctly in all cases, which could have led to Service Workers being written to disk for websites visited in Private Browsing Mode. This would not have persisted them in a state where they would run again, but it would have leaked Private Browsing Mode details to disk. This vulnerability affects

CVE-2022-29915 [MEDIUM] CWE-346 CVE-2022-29915: The Performance API did not properly hide the fact whether a request cross-origin resource has obser The Performance API did not properly hide the fact whether a request cross-origin resource has observed redirects. This vulnerability affects Firefox < 100.

CVE-2022-34479 [MEDIUM] CWE-451 CVE-2022-34479: A malicious website that could create a popup could have resized the popup to overlay the address ba A malicious website that could create a popup could have resized the popup to overlay the address bar with its own content, resulting in potential user confusion or spoofing attacks. *This bug only affects Thunderbird for Linux. Other operating systems are unaffected.*. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102

CVE-2022-31745 [MEDIUM] CWE-129 CVE-2022-31745: If array shift operations are not used, the Garbage Collector may have become confused about valid o If array shift operations are not used, the Garbage Collector may have become confused about valid objects. This vulnerability affects Firefox < 101.

CVE-2022-34471 [MEDIUM] CWE-345 CVE-2022-34471: When downloading an update for an addon, the downloaded addon update's version was not verified to m When downloading an update for an addon, the downloaded addon update's version was not verified to match the version selected from the manifest. If the manifest had been tampered with on the server, an attacker could trick the browser into downgrading the addon to a prior version. This vulnerability affects Firefox < 102.

CVE-2022-22746 [MEDIUM] CWE-362 CVE-2022-22746: A race condition could have allowed bypassing the fullscreen notification which could have lead to a A race condition could have allowed bypassing the fullscreen notification which could have lead to a fullscreen window spoof being unnoticed.*This bug only affects Firefox for Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.

CVE-2022-29911 [MEDIUM] CWE-1021 CVE-2022-29911: An improper implementation of the new iframe sandbox keyword <code>allow-top-navigation-by-user-acti An improper implementation of the new iframe sandbox keyword allow-top-navigation-by-user-activation could lead to script execution without allow-scripts being present. This vulnerability affects Thunderbird < 91.9, Firefox ESR < 91.9, and Firefox < 100.

CVE-2022-31743 [MEDIUM] CWE-79 CVE-2022-31743: Firefox's HTML parser did not correctly interpret HTML comment tags, resulting in an incongruity wit Firefox's HTML parser did not correctly interpret HTML comment tags, resulting in an incongruity with other browsers. This could have been used to escape HTML comments on pages that put user-controlled data in them. This vulnerability affects Firefox < 101.