An iframe that was not permitted to run scripts could do so if the user clicked on a <code>javascript:</code> link. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.

**Mozilla Foundation Security Advisory 2022-24**

Announced

June 28, 2022

Impact

high

Products

Firefox

Fixed in

*   Firefox 102

_Note_: While Bug 1771084 does not represent a specific vulnerability that was fixed, we recommend anyone rebasing patches to include it. 102 branch: Patch 1 and 2. 91 Branch: Patch 1 and 2 (Despite saying Parts 2 and 3, there is no Part 1)

**#CVE-2022-34479: A popup window could be resized in a way to overlay the address bar with web content**

Reporter

Irvan Kurniawan

Impact

high

**Description**

A malicious website that could create a popup could have resized the popup to overlay the address bar with its own content, resulting in potential user confusion or spoofing attacks.  
_This bug only affects Firefox for Linux. Other operating systems are unaffected._

**References**

*   Bug 1745595

**#CVE-2022-34470: Use-after-free in nsSHistory**

Reporter

Armin Ebert

Impact

high

**Description**

Session history navigations may have led to a use-after-free and potentially exploitable crash.

**References**

*   Bug 1765951

**#CVE-2022-34468: CSP sandbox header without \`allow-scripts\` can be bypassed via retargeted javascript: URI**

Reporter

Armin Ebert

Impact

high

**Description**

An iframe that was not permitted to run scripts could do so if the user clicked on a javascript: link.

**References**

*   Bug 1768537

**#CVE-2022-34482: Drag and drop of malicious image could have led to malicious executable and potential code execution**

Reporter

Attila Suszter

Impact

moderate

**Description**

An attacker who could have convinced a user to drag and drop an image to a filesystem could have manipulated the resulting filename to contain an executable extension, and by extension potentially tricked the user into executing malicious code. While very similar, this is a separate issue from CVE-2022-34483.

**References**

*   Bug 845880

**#CVE-2022-34483: Drag and drop of malicious image could have led to malicious executable and potential code execution**

Reporter

Eduardo Braun Prado

Impact

moderate

**Description**

An attacker who could have convinced a user to drag and drop an image to a filesystem could have manipulated the resulting filename to contain an executable extension, and by extension potentially tricked the user into executing malicious code. While very similar, this is a separate issue from CVE-2022-34482.

**References**

*   Bug 1335845

**#CVE-2022-34476: ASN.1 parser could have been tricked into accepting malformed ASN.1**

Reporter

Gustavo Grieco

Impact

moderate

**Description**

ASN.1 parsing of an indefinite SEQUENCE inside an indefinite GROUP could have resulted in the parser accepting malformed ASN.1.

**References**

*   Bug 1387919

**#CVE-2022-34481: Potential integer overflow in ReplaceElementsAt**

Reporter

Ronald Crane

Impact

moderate

**Description**

In the nsTArray_Impl::ReplaceElementsAt() function, an integer overflow could have occurred when the number of elements to replace was too large for the container.

**References**

*   Bug 1497246
*   Bug 1483699

**#CVE-2022-34474: Sandboxed iframes could redirect to external schemes**

Reporter

Amazon Malvertising Team

Impact

moderate

**Description**

Even when an iframe was sandboxed with allow-top-navigation-by-user-activation, if it received a redirect header to an external protocol the browser would process the redirect and prompt the user as appropriate.

**References**

*   Bug 1677138

**#CVE-2022-34469: TLS certificate errors on HSTS-protected domains could be bypassed by the user on Firefox for Android**

Reporter

Peter Gerber

Impact

moderate

**Description**

When a TLS Certificate error occurs on a domain protected by the HSTS header, the browser should not allow the user to bypass the certificate error. On Firefox for Android, the user was presented with the option to bypass the error; this could only have been done by the user explicitly.  
_This bug only affects Firefox for Android. Other operating systems are unaffected._

**References**

*   Bug 1721220

**#CVE-2022-34471: Compromised server could trick a browser into an addon downgrade**

Reporter

Rob Wu

Impact

moderate

**Description**

When downloading an update for an addon, the downloaded addon update's version was not verified to match the version selected from the manifest. If the manifest had been tampered with on the server, an attacker could trick the browser into downgrading the addon to a prior version.

**References**

*   Bug 1766047

**#CVE-2022-34472: Unavailable PAC file resulted in OCSP requests being blocked**

Reporter

Laurent Bigonville

Impact

moderate

**Description**

If there was a PAC URL set and the server that hosts the PAC was not reachable, OCSP requests would have been blocked, resulting in incorrect error pages being shown.

**References**

*   Bug 1770123

**#CVE-2022-34478: Microsoft protocols can be attacked if a user accepts a prompt**

Reporter

Gijs

Impact

moderate

**Description**

The ms-msdt, search, and search-ms protocols deliver content to Microsoft applications, bypassing the browser, when a user accepts a prompt. These applications have had known vulnerabilities, exploited in the wild (although we know of none exploited through Firefox), so in this release Firefox has blocked these protocols from prompting the user to open them.  
_This bug only affects Firefox on Windows. Other operating systems are unaffected._

**References**

*   Bug 1773717

**#CVE-2022-2200: Undesired attributes could be set as part of prototype pollution**

Reporter

Manfred Paul via Trend Micro's Zero Day Initiative

Impact

moderate

**Description**

If an object prototype was corrupted by an attacker, they would have been able to set undesired attributes on a JavaScript object, leading to privileged code execution.

**References**

*   Bug 1771381

**#CVE-2022-34480: Free of uninitialized pointer in lg\_init**

Reporter

Ronald Crane

Impact

low

**Description**

Within the lg_init() function, if several allocations succeed but then one fails, an uninitialized pointer would have been freed despite never being allocated.

**References**

*   Bug 1454072

**#CVE-2022-34477: MediaError message property leaked information on cross-origin same-site pages**

Reporter

jannis

Impact

low

**Description**

The MediaError message property should be consistent to avoid leaking information about cross-origin resources; however for a same-site cross-origin resource, the message could have leaked information enabling XS-Leaks attacks.

**References**

*   Bug 1731614

**#CVE-2022-34475: HTML Sanitizer could have been bypassed via same-origin script via use tags**

Reporter

Gareth Heyes

Impact

low

**Description**

SVG <use> tags that referenced a same-origin document could have resulted in script execution if attacker input was sanitized via the HTML Sanitizer API. This would have required the attacker to reference a same-origin JavaScript file containing the script to be executed.

**References**

*   Bug 1757210

**#CVE-2022-34473: HTML Sanitizer could have been bypassed via use tags**

Reporter

Armin Ebert

Impact

low

**Description**

The HTML Sanitizer should have sanitized the href attribute of SVG <use> tags; however it incorrectly did not sanitize xlink:href attributes.

**References**

*   Bug 1770888

**#CVE-2022-34484: Memory safety bugs fixed in Firefox 102 and Firefox ESR 91.11**

Reporter

Mozilla developers and community

Impact

high

**Description**

The Mozilla Fuzzing Team reported potential vulnerabilities present in Firefox 101 and Firefox ESR 91.10. Some of these bugs showed evidence of JavaScript prototype or memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 102 and Firefox ESR 91.11

**#CVE-2022-34485: Memory safety bugs fixed in Firefox 102**

Reporter

Mozilla developers and community

Impact

moderate

**Description**

Mozilla developers Bryce Seager van Dyk and the Mozilla Fuzzing Team reported potential vulnerabilities present in Firefox 101. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 102

CVE-2022-34468: Security Vulnerabilities fixed in Firefox 102

When scanning QR codes, Firefox for Android would have allowed navigation to some URLs that do not point to web content.<br>*This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 96.

**Mozilla Foundation Security Advisory 2022-01**

Announced

January 11, 2022

Impact

high

Products

Firefox

Fixed in

*   Firefox 96

**#CVE-2022-22746: Calling into reportValidity could have lead to fullscreen window spoof**

Reporter

Irvan Kurniawan

Impact

high

**Description**

A race condition could have allowed bypassing the fullscreen notification which could have lead to a fullscreen window spoof being unnoticed.  
_This bug only affects Firefox for Windows. Other operating systems are unaffected._

**References**

*   Bug 1735071

**#CVE-2022-22743: Browser window spoof using fullscreen mode**

Reporter

Irvan Kurniawan

Impact

high

**Description**

When navigating from inside an iframe while requesting fullscreen access, an attacker-controlled tab could have made the browser unable to leave fullscreen mode.

**References**

*   Bug 1739220

**#CVE-2022-22742: Out-of-bounds memory access when inserting text in edit mode**

Reporter

Irvan Kurniawan

Impact

high

**Description**

When inserting text while in edit mode, some characters might have lead to out-of-bounds memory access causing a potentially exploitable crash.

**References**

*   Bug 1739923

**#CVE-2022-22741: Browser window spoof using fullscreen mode**

Reporter

Irvan Kurniawan

Impact

high

**Description**

When resizing a popup while requesting fullscreen access, the popup would have become unable to leave fullscreen mode.

**References**

*   Bug 1740389

**#CVE-2022-22740: Use-after-free of ChannelEventQueue::mOwner**

Reporter

bo13oy of Cyber Kunlun Lab

Impact

high

**Description**

Certain network request objects were freed too early when releasing a network request handle. This could have lead to a use-after-free causing a potentially exploitable crash.

**References**

*   Bug 1742334

**#CVE-2022-22738: Heap-buffer-overflow in blendGaussianBlur**

Reporter

Atte Kettunen

Impact

high

**Description**

Applying a CSS filter effect could have accessed out of bounds memory. This could have lead to a heap-buffer-overflow causing a potentially exploitable crash.

**References**

*   Bug 1742382

**#CVE-2022-22737: Race condition when playing audio files**

Reporter

bo13oy of Cyber Kunlun Lab

Impact

high

**Description**

Constructing audio sinks could have lead to a race condition when playing audio files and closing windows. This could have lead to a use-after-free causing a potentially exploitable crash.

**References**

*   Bug 1745874

**#CVE-2021-4140: Iframe sandbox bypass with XSLT**

Reporter

Peter Van der Beken

Impact

high

**Description**

It was possible to construct specific XSLT markup that would be able to bypass an iframe sandbox.

**References**

*   Bug 1746720

**#CVE-2022-22750: IPC passing of resource handles could have lead to sandbox bypass**

Reporter

Jed Davis

Impact

moderate

**Description**

By generally accepting and passing resource handles across processes, a compromised content process might have confused higher privileged processes to interact with handles that the unprivileged process should not have access to.  
_This bug only affects Firefox for Windows and MacOS. Other operating systems are unaffected._

**References**

*   Bug 1566608

**#CVE-2022-22749: Lack of URL restrictions when scanning QR codes**

Reporter

Wladimir Palant working with Include Security

Impact

moderate

**Description**

When scanning QR codes, Firefox for Android would have allowed navigation to some URLs that do not point to web content.  
_This bug only affects Firefox for Android. Other operating systems are unaffected._

**References**

*   Bug 1705094

**#CVE-2022-22748: Spoofed origin on external protocol launch dialog**

Reporter

Alesandro Ortiz

Impact

moderate

**Description**

Malicious websites could have confused Firefox into showing the wrong origin when asking to launch a program and handling an external URL protocol.

**References**

*   Bug 1705211

**#CVE-2022-22745: Leaking cross-origin URLs through securitypolicyviolation event**

Reporter

Jannis Rautenstrauch

Impact

moderate

**Description**

Securitypolicyviolation events could have leaked cross-origin information for frame-ancestors violations

**References**

*   Bug 1735856

**#CVE-2022-22744: The 'Copy as curl' feature in DevTools did not fully escape website-controlled data, potentially leading to command injection**

Reporter

Mattias Jacobsson

Impact

moderate

**Description**

The constructed curl command from the "Copy as curl" feature in DevTools was not properly escaped for PowerShell. This could have lead to command injection if pasted into a Powershell prompt.  
_This bug only affects Firefox for Windows. Other operating systems are unaffected._

**References**

*   Bug 1737252

**#CVE-2022-22763: Script Execution during invalid object state**

Reporter

Mozilla Fuzzing Team

Impact

moderate

**Description**

When a worker is shutdown, it was possible to cause script to run late in the lifecycle, at a point after where it should not be possible.

**References**

*   Bug 1740534

**#CVE-2022-22747: Crash when handling empty pkcs7 sequence**

Reporter

Tavis Ormandy

Impact

low

**Description**

After accepting an untrusted certificate, handling an empty pkcs7 sequence as part of the certificate data could have lead to a crash. This crash is believed to be unexploitable.

**References**

*   Bug 1735028

**#CVE-2022-22736: Potential local privilege escalation when loading modules from the install directory.**

Reporter

Toshihito Kikuchi

Impact

low

**Description**

If Firefox was installed to a world-writable directory, a local privilege escalation could occur when Firefox searched the current directory for system libraries. However the install directory is not world-writable by default.  
_This bug only affects Firefox for Windows in a non-default installation. Other operating systems are unaffected._

**References**

*   Bug 1742692

**#CVE-2022-22739: Missing throttling on external protocol launch dialog**

Reporter

Alesandro Ortiz

Impact

low

**Description**

Malicious websites could have tricked users into accepting launching a program to handle an external URL protocol.

**References**

*   Bug 1744158

**#CVE-2022-22751: Memory safety bugs fixed in Firefox 96 and Firefox ESR 91.5**

Reporter

Mozilla developers and community

Impact

high

**Description**

Mozilla developers Calixte Denizet, Kershaw Chang, Christian Holler, Jason Kratzer, Gabriele Svelto, Tyson Smith, Simon Giesecke, and Steve Fink reported memory safety bugs present in Firefox 95 and Firefox ESR 91.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 96 and Firefox ESR 91.5

**#CVE-2022-22752: Memory safety bugs fixed in Firefox 96**

Reporter

Mozilla developers and community

Impact

moderate

**Description**

Mozilla developers Christian Holler and Jason Kratzer reported memory safety bugs present in Firefox 95. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 96

CVE-2022-22749: Security Vulnerabilities fixed in Firefox 96

Service Workers should not be able to infer information about opaque cross-origin responses; but timing information for cross-origin media combined with Range requests might have allowed them to determine the presence or length of a media file. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.

**Mozilla Foundation Security Advisory 2022-49**

Announced

November 15, 2022

Impact

high

Products

Thunderbird

Fixed in

*   Thunderbird 102.5

_In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts._

**#CVE-2022-45403: Service Workers might have learned size of cross-origin media files**

Reporter

Anne van Kesteren and Karl Tomlinson

Impact

high

**Description**

Service Workers should not be able to infer information about opaque cross-origin responses; but timing information for cross-origin media combined with Range requests might have allowed them to determine the presence or length of a media file.

**References**

*   Bug 1762078

**#CVE-2022-45404: Fullscreen notification bypass**

Reporter

Irvan Kurniawan

Impact

high

**Description**

Through a series of popup and window.print() calls, an attacker can cause a window to go fullscreen without the user seeing the notification prompt, resulting in potential user confusion or spoofing attacks.

**References**

*   Bug 1790815

**#CVE-2022-45405: Use-after-free in InputStream implementation**

Reporter

Atte Kettunen

Impact

high

**Description**

Freeing arbitrary nsIInputStream's on a different thread than creation could have led to a use-after-free and potentially exploitable crash.

**References**

*   Bug 1791314

**#CVE-2022-45406: Use-after-free of a JavaScript Realm**

Reporter

Samuel Groß

Impact

high

**Description**

If an out-of-memory condition occurred when creating a JavaScript global, a JavaScript realm may be deleted while references to it lived on in a BaseShape. This could lead to a use-after-free causing a potentially exploitable crash.

**References**

*   Bug 1791975

**#CVE-2022-45408: Fullscreen notification bypass via windowName**

Reporter

Irvan Kurniawan

Impact

high

**Description**

Through a series of popups that reuse windowName, an attacker can cause a window to go fullscreen without the user seeing the notification prompt, resulting in potential user confusion or spoofing attacks.

**References**

*   Bug 1793829

**#CVE-2022-45409: Use-after-free in Garbage Collection**

Reporter

Gary Kwong

Impact

high

**Description**

The garbage collector could have been aborted in several states and zones and GCRuntime::finishCollection may not have been called, leading to a use-after-free and potentially exploitable crash

**References**

*   Bug 1796901

**#CVE-2022-45410: ServiceWorker-intercepted requests bypassed SameSite cookie policy**

Reporter

Dongsung Kim

Impact

moderate

**Description**

When a ServiceWorker intercepted a request with FetchEvent, the origin of the request was lost after the ServiceWorker took ownership of it. This had the effect of negating SameSite cookie protections. This was addressed in the spec and then in browsers.

**References**

*   Bug 1658869

**#CVE-2022-45411: Cross-Site Tracing was possible via non-standard override headers**

Reporter

scarlet

Impact

moderate

**Description**

Cross-Site Tracing occurs when a server will echo a request back via the Trace method, allowing an XSS attack to access to authorization headers and cookies inaccessible to JavaScript (such as cookies protected by HTTPOnly). To mitigate this attack, browsers placed limits on fetch() and XMLHttpRequest; however some webservers have implemented non-standard headers such as X-Http-Method-Override that override the HTTP method, and made this attack possible again. Thunderbird has applied the same mitigations to the use of this and similar headers.

**References**

*   Bug 1790311

**#CVE-2022-45412: Symlinks may resolve to partially uninitialized buffers**

Reporter

Armin Ebert

Impact

moderate

**Description**

When resolving a symlink such as file:///proc/self/fd/1, an error message may be produced where the symlink was resolved to a string containing unitialized memory in the buffer.  
_This bug only affects Thunderbird on Unix-based operated systems (Android, Linux, MacOS). Windows is unaffected._

**References**

*   Bug 1791029

**#CVE-2022-45416: Keystroke Side-Channel Leakage**

Reporter

Erik Kraft, Martin Schwarzl, and Andrew McCreight

Impact

moderate

**Description**

Keyboard events reference strings like "KeyA" that were at fixed, known, and widely-spread addresses. Cache-based timing attacks such as Prime+Probe could have possibly figured out which keys were being pressed.

**References**

*   Bug 1793676

**#CVE-2022-45418: Custom mouse cursor could have been drawn over browser UI**

Reporter

Hafiizh

Impact

moderate

**Description**

If a custom mouse cursor is specified in CSS, under certain circumstances the cursor could have been drawn over the browser UI, resulting in potential user confusion or spoofing attacks.

**References**

*   Bug 1795815

**#CVE-2022-45420: Iframe contents could be rendered outside the iframe**

Reporter

Suhwan Song of SNU CompSec Lab

Impact

low

**Description**

Use tables inside of an iframe, an attacker could have caused iframe contents to be rendered outside the boundaries of the iframe, resulting in potential user confusion or spoofing attacks.

**References**

*   Bug 1792643

**#CVE-2022-45421: Memory safety bugs fixed in Thunderbird 102.5**

Reporter

Mozilla developers

Impact

high

**Description**

Mozilla developers Andrew McCreight and Gabriele Svelto reported memory safety bugs present in Thunderbird 102.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Thunderbird 102.5

CVE-2022-45403: Security Vulnerabilities fixed in Thunderbird 102.5

During startup, a graphics driver with an unexpected name could lead to a stack-buffer overflow causing a potentially exploitable crash.<br>*This issue only affects Firefox for Android. Other operating systems are not affected.*. This vulnerability affects Firefox < 105.

**Mozilla Foundation Security Advisory 2022-40**

Announced

September 20, 2022

Impact

high

Products

Firefox

Fixed in

*   Firefox 105

This advisory was updated December 13, 2022 to add CVE-2022-46880. This fix was included in the original release of Firefox 105, but did not appear in the advisory published at that time.

**#CVE-2022-3266: Out of bounds read when decoding H264**

Reporter

Willy R. Vasquez at UT Austin

Impact

high

**Description**

An out-of-bounds read can occur when decoding H264 video. This results in a potentially exploitable crash.

**References**

*   Bug 1767360

**#CVE-2022-40959: Bypassing FeaturePolicy restrictions on transient pages**

Reporter

Armin Ebert

Impact

high

**Description**

During iframe navigation, certain pages did not have their FeaturePolicy fully initialized leading to a bypass that leaked device permissions into untrusted subdocuments.

**References**

*   Bug 1782211

**#CVE-2022-40960: Data-race when parsing non-UTF-8 URLs in threads**

Reporter

Armin Ebert

Impact

high

**Description**

Concurrent use of the URL parser with non-UTF-8 data was not thread-safe. This could lead to a use-after-free causing a potentially exploitable crash.

**References**

*   Bug 1787633

**#CVE-2022-46880: Use-after-free in WebGL**

Reporter

Atte Kettunen

Impact

high

**Description**

A missing check related to tex units could have led to a use-after-free and potentially exploitable crash.  
_Note_: This advisory was added on December 13th, 2022 after we better understood the impact of the issue. The fix was included in the original release of Firefox 105.

**References**

*   Bug 1749292

**#CVE-2022-40958: Bypassing Secure Context restriction for cookies with \_\_Host and \_\_Secure prefix**

Reporter

Axel Chong (@Haxatron)

Impact

moderate

**Description**

By injecting a cookie with certain special characters, an attacker on a shared subdomain which is not a secure context could set and thus overwrite cookies from a secure context, leading to session fixation and other attacks.

**References**

*   Bug 1779993

**#CVE-2022-40961: Stack-buffer overflow when initializing Graphics**

Reporter

Mozilla Fuzzing Team

Impact

moderate

**Description**

During startup, a graphics driver with an unexpected name could lead to a stack-buffer overflow causing a potentially exploitable crash.  
_This issue only affects Firefox for Android. Other operating systems are not affected._

**References**

*   Bug 1784588

**#CVE-2022-40956: Content-Security-Policy base-uri bypass**

Reporter

Satoki Tsuji

Impact

low

**Description**

When injecting an HTML base element, some requests would ignore the CSP's base-uri settings and accept the injected element's base instead.

**References**

*   Bug 1770094

**#CVE-2022-40957: Incoherent instruction cache when building WASM on ARM64**

Reporter

Gary Kwong

Impact

low

**Description**

Inconsistent data in instruction and data cache when creating wasm code could lead to a potentially exploitable crash.  
_This bug only affects Firefox on ARM64 platforms._

**References**

*   Bug 1777604

**#CVE-2022-40962: Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3**

Reporter

Mozilla developers and community

Impact

high

**Description**

Mozilla developers Nika Layzell, Timothy Nikkel, Sebastian Hengst, Andreas Pehrson, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 104 and Firefox ESR 102.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3

CVE-2022-40961: Security Vulnerabilities fixed in Firefox 105

When closed or sent to the background, Firefox for Android would not properly record and persist HSTS settings.<br>*Note: This issue only affected Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 100.

Sorry, I can't find "_1757138?cve=title_". It does not seem like bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2022-29910: Invalid Bug ID

An attacker could have written a value to the first element in a zero-length JavaScript array. Although the array was zero-length, the value was not written to an invalid memory address. This vulnerability affects Firefox < 104.

**Mozilla Foundation Security Advisory 2022-33**

Announced

August 23, 2022

Impact

high

Products

Firefox

Fixed in

*   Firefox 104

**#CVE-2022-38472: Address bar spoofing via XSLT error handling**

Reporter

Armin Ebert

Impact

high

**Description**

An attacker could have abused XSLT error handling to associate attacker-controlled content with another origin which was displayed in the address bar. This could have been used to fool the user into submitting data intended for the spoofed origin.

**References**

*   Bug 1769155

**#CVE-2022-38473: Cross-origin XSLT Documents would have inherited the parent's permissions**

Reporter

Armin Ebert

Impact

high

**Description**

A cross-origin iframe referencing an XSLT document would inherit the parent domain's permissions (such as microphone or camera access).

**References**

*   Bug 1771685

**#CVE-2022-38474: Recording notification not shown when microphone was recording on Android**

Reporter

Agi Sferro

Impact

low

**Description**

A website that had permission to access the microphone could record audio without the audio notification being shown. This bug does not allow the attacker to bypass the permission prompt - it only affects the notification shown once permission has been granted.  
_This bug only affects Firefox for Android. Other operating systems are unaffected._

**References**

*   Bug 1719511

**#CVE-2022-38475: Attacker could write a value to a zero-length array**

Reporter

Christian Holler

Impact

low

**Description**

An attacker could have written a value to the first element in a zero-length JavaScript array. Although the array was zero-length, the value was not written to an invalid memory address.

**References**

*   Bug 1773266

**#CVE-2022-38477: Memory safety bugs fixed in Firefox 104 and Firefox ESR 102.2**

Reporter

Mozilla developers and community

Impact

high

**Description**

Mozilla developer Nika Layzell and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 103 and Firefox ESR 102.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 104 and Firefox ESR 102.2

**#CVE-2022-38478: Memory safety bugs fixed in Firefox 104, Firefox ESR 102.2, and Firefox ESR 91.13**

Reporter

Mozilla developers and community

Impact

high

**Description**

Members the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 103, Firefox ESR 102.1, and Firefox ESR 91.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 104, Firefox ESR 102.2, and Firefox ESR 91.13

CVE-2022-38475: Security Vulnerabilities fixed in Firefox 104

When visiting a website with an overly long URL, the user interface would start to hang. Due to session restore, this could lead to a permanent Denial of Service.<br>*This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 103.

Sorry, I can't find "_1759951?cve=title_". It does not seem like bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2022-36317: Invalid Bug ID

When using the Performance API, an attacker was able to notice subtle differences between PerformanceEntries and thus learn whether the target URL had been subject to a redirect. This vulnerability affects Firefox < 103.

**Mozilla Foundation Security Advisory 2022-28**

Announced

July 26, 2022

Impact

moderate

Products

Firefox

Fixed in

*   Firefox 103

**#CVE-2022-36319: Mouse Position spoofing with CSS transforms**

Reporter

Irvan Kurniawan

Impact

moderate

**Description**

When combining CSS properties for overflow and transform, the mouse cursor could interact with different coordinates than displayed.

**References**

*   Bug 1737722

**#CVE-2022-36317: Long URL would hang Firefox for Android**

Reporter

Irwan

Impact

moderate

**Description**

When visiting a website with an overly long URL, the user interface would start to hang. Due to session restore, this could lead to a permanent Denial of Service.  
_This bug only affects Firefox for Android. Other operating systems are unaffected._

**References**

*   Bug 1759951

**#CVE-2022-36318: Directory indexes for bundled resources reflected URL parameters**

Reporter

Gijs Kruitbosch

Impact

moderate

**Description**

When visiting directory listings for chrome:// URLs as source text, some parameters were reflected.

**References**

*   Bug 1771774

**#CVE-2022-36314: Opening local <code>.lnk</code> files could cause unexpected network loads**

Reporter

akucybersec

Impact

moderate

**Description**

When opening a Windows shortcut from the local filesystem, an attacker could supply a remote path that would lead to unexpected network requests from the operating system.  
This bug only affects Firefox for Windows. Other operating systems are unaffected.\*

**References**

*   Bug 1773894

**#CVE-2022-36315: Preload Cache Bypasses Subresource Integrity**

Reporter

Hiroshige Hayashizaki

Impact

low

**Description**

When loading a script with Subresource Integrity, attackers with an injection capability could trigger the reuse of previously cached entries with incorrect, different integrity metadata.

**References**

*   Bug 1762520

**#CVE-2022-36316: Performance API leaked whether a cross-site resource is redirecting**

Reporter

Jannis Rautenstrauch

Impact

low

**Description**

When using the Performance API, an attacker was able to notice subtle differences between PerformanceEntries and thus learn whether the target URL had been subject to a redirect.

**References**

*   Bug 1768583

**#CVE-2022-36320: Memory safety bugs fixed in Firefox 103**

Reporter

Mozilla developers and community

Impact

high

**Description**

Mozilla developers and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 102. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 103

**#CVE-2022-2505: Memory safety bugs fixed in Firefox 103 and 102.1**

Reporter

Mozilla developers and community

Impact

high

**Description**

Mozilla developers and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 102. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 103 and 102.1

CVE-2022-36316: Security Vulnerabilities fixed in Firefox 103

The Performance API did not properly hide the fact whether a request cross-origin resource has observed redirects. This vulnerability affects Firefox < 100.

**Mozilla Foundation Security Advisory 2022-16**

Announced

May 3, 2022

Impact

high

Products

Firefox

Fixed in

*   Firefox 100

**#CVE-2022-29914: Fullscreen notification bypass using popups**

Reporter

Irvan Kurniawan

Impact

high

**Description**

When reusing existing popups Firefox would have allowed them to cover the fullscreen notification UI, which could have enabled browser spoofing attacks.

**References**

*   Bug 1746448

**#CVE-2022-29909: Bypassing permission prompt in nested browsing contexts**

Reporter

Armin Ebert

Impact

high

**Description**

Documents in deeply-nested cross-origin browsing contexts could have obtained permissions granted to the top-level origin, bypassing the existing prompt and wrongfully inheriting the top-level permissions.

**References**

*   Bug 1755081

**#CVE-2022-29916: Leaking browser history with CSS variables**

Reporter

Mateusz Sionkowski

Impact

high

**Description**

Firefox behaved slightly differently for already known resources when loading CSS resources involving CSS variables. This could have been used to probe the browser history.

**References**

*   Bug 1760674

**#CVE-2022-29911: iframe Sandbox bypass**

Reporter

Trung Pham

Impact

high

**Description**

An improper implementation of the new iframe sandbox keyword allow-top-navigation-by-user-activation could lead to script execution without allow-scripts being present.

**References**

*   Bug 1761981

**#CVE-2022-29912: Reader mode bypassed SameSite cookies**

Reporter

Matheus Vrech

Impact

moderate

**Description**

Requests initiated through reader mode did not properly omit cookies with a SameSite attribute.

**References**

*   Bug 1692655

**#CVE-2022-29910: Firefox for Android forgot HTTP Strict Transport Security settings**

Reporter

Mark B

Impact

moderate

**Description**

When closed or sent to the background, Firefox for Android would not properly record and persist HSTS settings.  
_Note: This issue only affected Firefox for Android. Other operating systems are unaffected._

**References**

*   Bug 1757138

**#CVE-2022-29915: Leaking cross-origin redirect through the Performance API**

Reporter

Sohom Datta

Impact

low

**Description**

The Performance API did not properly hide the fact whether a request cross-origin resource has observed redirects.

**References**

*   Bug 1751678

**#CVE-2022-29917: Memory safety bugs fixed in Firefox 100 and Firefox ESR 91.9**

Reporter

Mozilla developers

Impact

high

**Description**

Mozilla developers Andrew McCreight, Gabriele Svelto, Tom Ritter and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 99 and Firefox ESR 91.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 100 and Firefox ESR 91.9

**#CVE-2022-29918: Memory safety bugs fixed in Firefox 100**

Reporter

Mozilla developers

Impact

high

**Description**

Mozilla developers Gabriele Svelto, Randell Jesup and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 99. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 100

CVE-2022-29915: Security Vulnerabilities fixed in Firefox 100

An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox < 97.0.2, Firefox ESR < 91.6.1, Firefox for Android < 97.3.0, Thunderbird < 91.6.2, and Focus < 97.3.0.

Sorry, I can't find "_1758070?cve=title_". It does not seem like bug number nor an alias to a bug.

Please press **Back** and try again.

Tag

#android