| Description: | Summary:
Mozilla Firefox ESR is prone to multiple vulnerabilities.
Vulnerability Insight:
Multiple flaws exist due to:
- Logging-related command line parameters are not properly sanitized.
- Multiple use-after-free errors.
- A same-origin policy violation.
- The Mozilla Maintenance Service does not guard against files being hardlinked
to another file in the updates directory.
- Privilege escalation with Mozilla Maintenance Service in custom Firefox
installation location.
- Sandbox escape through Firefox Sync
- Navigation events were not fully adhering to the W3C's 'Navigation-Timing Level 2'
draft specification in some instances for the unload event.
- Persistence of WebRTC permissions in a third party context.
- A vulnerability exists in WebRTC where malicious web content can use probing
techniques on the getUserMedia API using constraints.
- A type confusion vulnerability exists in Spidermonkey.
- 'Forget about this site' removes sites from pre-loaded HSTS list.
- Content Security Policy (CSP) bypass.
- Memory safety bugs.
Vulnerability Impact:
Successful exploitation allows attackers to
cause denial of service, escalate privileges, conduct cross site scripting
attacks and disclose sensitive information.
Affected Software/OS:
Mozilla Firefox ESR version before
68.1 on Windows.
Solution:
Update to Mozilla Firefox ESR version 68.1
or later. Please see the references for more information.
CVSS Score:
9.3
CVSS Vector:
AV:N/AC:M/Au:N/C:C/I:C/A:C
|
