Mozilla developers and community members Lukas Bernhard, Gabriele Svelto, Randell Jesup, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 107. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 108.

**Mozilla Foundation Security Advisory 2022-51**

Announced

December 13, 2022

Impact

high

Products

Firefox

Fixed in

*   Firefox 108

**#CVE-2022-46871: libusrsctp library out of date**

Reporter

Mozilla Developers

Impact

high

**Description**

An out of date library (libusrsctp) contained vulnerabilities that could potentially be exploited.

**References**

*   Bug 1795697

**#CVE-2022-46872: Arbitrary file read from a compromised content process**

Reporter

Nika Layzell

Impact

high

**Description**

An attacker who compromised a content process could have partially escaped the sandbox to read arbitrary files via clipboard-related IPC messages.  
_This bug only affects Firefox for Linux. Other operating systems are unaffected._

**References**

*   Bug 1799156

**#CVE-2022-46873: Firefox did not implement the CSP directive unsafe-hashes**

Reporter

Pete Freitag

Impact

moderate

**Description**

Because Firefox did not implement the unsafe-hashes CSP directive, an attacker who was able to inject markup into a page otherwise protected by a Content Security Policy may have been able to inject executable script. This would be severely constrained by the specified Content Security Policy of the document.

**References**

*   Bug 1644790

**#CVE-2022-46874: Drag and Dropped Filenames could have been truncated to malicious extensions**

Reporter

Matthias Zoellner

Impact

moderate

**Description**

A file with a long filename could have had its filename truncated to remove the valid extension, leaving a malicious extension in its place. This could have potentially led to user confusion and the execution of malicious code.

**References**

*   Bug 1746139

**#CVE-2022-46875: Download Protections were bypassed by .atloc and .ftploc files on Mac OS**

Reporter

Dohyun Lee

Impact

moderate

**Description**

The executable file warning was not presented when downloading .atloc and .ftploc files, which can run commands on a user's computer.  
_Note: This issue only affected Mac OS operating systems. Other operating systems are unaffected._

**References**

*   Bug 1786188

**#CVE-2022-46877: Fullscreen notification bypass**

Reporter

Hafiizh

Impact

low

**Description**

By confusing the browser, the fullscreen notification could have been delayed or suppressed, resulting in potential user confusion or spoofing attacks.

**References**

*   Bug 1795139

**#CVE-2022-46878: Memory safety bugs fixed in Firefox 108 and Firefox ESR 102.6**

Reporter

Mozilla developers

Impact

high

**Description**

Mozilla developers Randell Jesup, Valentin Gosu, Olli Pettay, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 107 and Firefox ESR 102.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 108 and Firefox ESR 102.6

**#CVE-2022-46879: Memory safety bugs fixed in Firefox 108**

Reporter

Mozilla developers and community

Impact

high

**Description**

Mozilla developers and community members Lukas Bernhard, Gabriele Svelto, Randell Jesup, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 107. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 108

CVE-2022-46879: Security Vulnerabilities fixed in Firefox 108

In unusual circumstances, selecting text could cause text selection caching to behave incorrectly, leading to a crash. This vulnerability affects Firefox < 99.

**Mozilla Foundation Security Advisory 2022-13**

Announced

April 5, 2022

Impact

high

Products

Firefox

Fixed in

*   Firefox 99

**#CVE-2022-1097: Use-after-free in NSSToken objects**

Reporter

Randell Jesup

Impact

high

**Description**

NSSToken objects were referenced via direct points, and could have been accessed in an unsafe way on different threads, leading to a use-after-free and potentially exploitable crash.

**References**

*   Bug 1745667

**#CVE-2022-28281: Out of bounds write due to unexpected WebAuthN Extensions**

Reporter

Axel '0vercl0k' Souchet

Impact

high

**Description**

If a compromised content process sent an unexpected number of WebAuthN Extensions in a Register command to the parent process, an out of bounds write would have occurred leading to memory corruption and a potentially exploitable crash.

**References**

*   Bug 1755621

**#CVE-2022-28282: Use-after-free in DocumentL10n::TranslateDocument**

Reporter

Kirin

Impact

moderate

**Description**

By using a link with rel="localization" a use-after-free could have been triggered by destroying an object during JavaScript execution and then referencing the object through a freed pointer, leading to a potentially exploitable crash.

**References**

*   Bug 1751609

**#CVE-2022-28283: Missing security checks for fetching sourceMapURL**

Reporter

Gijs

Impact

moderate

**Description**

The sourceMapURL feature in devtools was missing security checks that would have allowed a webpage to attempt to include local files or other files that should have been inaccessible.

**References**

*   Bug 1754066

**#CVE-2022-28284: Script could be executed via svg's use element**

Reporter

Leo Balter

Impact

moderate

**Description**

SVG's <use> element could have been used to load unexpected content that could have executed script in certain circumstances. While the specification seems to allow this, other browsers do not, and web developers relied on this property for script security so gecko's implementation was aligned with theirs.

**References**

*   Bug 1754522

**#CVE-2022-28285: Incorrect AliasSet used in JIT Codegen**

Reporter

Lukas Bernhard

Impact

moderate

**Description**

When generating the assembly code for MLoadTypedArrayElementHole, an incorrect AliasSet was used. In conjunction with another vulnerability this could have been used for an out of bounds memory read.

**References**

*   Bug 1756957

**#CVE-2022-28286: iframe contents could be rendered outside the border**

Reporter

prada960808

Impact

low

**Description**

Due to a layout change, iframe contents could have been rendered outside of its border. This could have led to user confusion or spoofing attacks.

**References**

*   Bug 1735265

**#CVE-2022-28287: Text Selection could crash Firefox**

Reporter

Aryan Sinha

Impact

low

**Description**

In unusual circumstances, selecting text could cause text selection caching to behave incorrectly, leading to a crash.

**References**

*   Bug 1741515

**#CVE-2022-24713: Denial of Service via complex regular expressions**

Reporter

Addison Crump and Jan-Erik Rediger

Impact

low

**Description**

The rust regex crate did not properly prevent crafted regular expressions from taking an arbitrary amount of time during parsing. If an attacker was able to supply input to this crate, they could have caused a denial of service in the browser.

**References**

*   Bug 1758509

**#CVE-2022-28289: Memory safety bugs fixed in Firefox 99 and Firefox ESR 91.8**

Reporter

Mozilla developers

Impact

high

**Description**

Mozilla developers and community members Nika Layzell, Andrew McCreight, Gabriele Svelto, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 98 and Firefox ESR 91.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 99 and Firefox ESR 91.8

**#CVE-2022-28288: Memory safety bugs fixed in Firefox 99**

Reporter

Mozilla developers

Impact

moderate

**Description**

Mozilla developers and community members Randell Jesup, Sebastian Hengst, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 98. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 99

CVE-2022-28287: Security Vulnerabilities fixed in Firefox 99

After a VR Process is destroyed, a reference to it may have been retained and used, leading to a use-after-free and potentially exploitable crash. This vulnerability affects Thunderbird < 91.8 and Firefox ESR < 91.8.

**Mozilla Foundation Security Advisory 2022-15**

Announced

April 5, 2022

Impact

high

Products

Thunderbird

Fixed in

*   Thunderbird 91.8

_In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts._

**#CVE-2022-1097: Use-after-free in NSSToken objects**

Reporter

Randell Jesup

Impact

high

**Description**

NSSToken objects were referenced via direct points, and could have been accessed in an unsafe way on different threads, leading to a use-after-free and potentially exploitable crash.

**References**

*   Bug 1745667

**#CVE-2022-28281: Out of bounds write due to unexpected WebAuthN Extensions**

Reporter

Axel '0vercl0k' Souchet

Impact

high

**Description**

If a compromised content process sent an unexpected number of WebAuthN Extensions in a Register command to the parent process, an out of bounds write would have occurred leading to memory corruption and a potentially exploitable crash.

**References**

*   Bug 1755621

**#CVE-2022-1197: OpenPGP revocation information was ignored**

Reporter

Thunderbird user Johannes König

Impact

moderate

**Description**

When importing a revoked key that specified key compromise as the revocation reason, Thunderbird did not update the existing copy of the key that was not yet revoked, and the existing key was kept as non-revoked. Revocation statements that used another revocation reason, or that didn't specify a revocation reason, were unaffected.

**References**

*   Bug 1754985

**#CVE-2022-1196: Use-after-free after VR Process destruction**

Reporter

bo13oy of Cyber Kunlun Lab

Impact

moderate

**Description**

After a VR Process is destroyed, a reference to it may have been retained and used, leading to a use-after-free and potentially exploitable crash.

**References**

*   Bug 1750679

**#CVE-2022-28282: Use-after-free in DocumentL10n::TranslateDocument**

Reporter

Kirin

Impact

moderate

**Description**

By using a link with rel="localization" a use-after-free could have been triggered by destroying an object during JavaScript execution and then referencing the object through a freed pointer, leading to a potential exploitable crash.

**References**

*   Bug 1751609

**#CVE-2022-28285: Incorrect AliasSet used in JIT Codegen**

Reporter

Lukas Bernhard

Impact

moderate

**Description**

When generating the assembly code for MLoadTypedArrayElementHole, an incorrect AliasSet was used. In conjunction with another vulnerability this could have been used for an out of bounds memory read.

**References**

*   Bug 1756957

**#CVE-2022-28286: iframe contents could be rendered outside the border**

Reporter

prada960808

Impact

low

**Description**

Due to a layout change, iframe contents could have been rendered outside of its border. This could have led to user confusion or spoofing attacks.

**References**

*   Bug 1735265

**#CVE-2022-24713: Denial of Service via complex regular expressions**

Reporter

Addison Crump and Jan-Erik Rediger

Impact

low

**Description**

The rust regex crate did not properly prevent crafted regular expressions from taking an arbitrary amount of time during parsing. If an attacker was able to supply input to this crate, they could have caused a denial of service in the browser.

**References**

*   Bug 1758509

**#CVE-2022-28289: Memory safety bugs fixed in Thunderbird 91.8**

Reporter

Mozilla developers and community

Impact

high

**Description**

Mozilla developers and community members Nika Layzell, Andrew McCreight, Gabriele Svelto, and the Mozilla Fuzzing Team reported memory safety bugs present in Thunderbird 91.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Thunderbird 91.8

CVE-2022-1196: Security Vulnerabilities fixed in Thunderbird 91.8

<code>NSSToken</code> objects were referenced via direct points, and could have been accessed in an unsafe way on different threads, leading to a use-after-free and potentially exploitable crash. This vulnerability affects Thunderbird < 91.8, Firefox < 99, and Firefox ESR < 91.8.

Sorry, I can't find "_1745667?cve=title_". It does not seem like bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2022-1097: Invalid Bug ID

It was possible to construct specific XSLT markup that would be able to bypass an iframe sandbox. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.

**Mozilla Foundation Security Advisory 2022-02**

Announced

January 11, 2022

Impact

high

Products

Firefox ESR

Fixed in

*   Firefox ESR 91.5

**#CVE-2022-22746: Calling into reportValidity could have lead to fullscreen window spoof**

Reporter

Irvan Kurniawan

Impact

high

**Description**

A race condition could have allowed bypassing the fullscreen notification which could have lead to a fullscreen window spoof being unnoticed.  
_This bug only affects Thunderbird for Windows. Other operating systems are unaffected._

**References**

*   Bug 1735071

**#CVE-2022-22743: Browser window spoof using fullscreen mode**

Reporter

Irvan Kurniawan

Impact

high

**Description**

When navigating from inside an iframe while requesting fullscreen access, an attacker-controlled tab could have made the browser unable to leave fullscreen mode.

**References**

*   Bug 1739220

**#CVE-2022-22742: Out-of-bounds memory access when inserting text in edit mode**

Reporter

Irvan Kurniawan

Impact

high

**Description**

When inserting text while in edit mode, some characters might have lead to out-of-bounds memory access causing a potentially exploitable crash.

**References**

*   Bug 1739923

**#CVE-2022-22741: Browser window spoof using fullscreen mode**

Reporter

Irvan Kurniawan

Impact

high

**Description**

When resizing a popup while requesting fullscreen access, the popup would have become unable to leave fullscreen mode.

**References**

*   Bug 1740389

**#CVE-2022-22740: Use-after-free of ChannelEventQueue::mOwner**

Reporter

bo13oy of Cyber Kunlun Lab

Impact

high

**Description**

Certain network request objects were freed too early when releasing a network request handle. This could have lead to a use-after-free causing a potentially exploitable crash.

**References**

*   Bug 1742334

**#CVE-2022-22738: Heap-buffer-overflow in blendGaussianBlur**

Reporter

Atte Kettunen

Impact

high

**Description**

Applying a CSS filter effect could have accessed out of bounds memory. This could have lead to a heap-buffer-overflow causing a potentially exploitable crash.

**References**

*   Bug 1742382

**#CVE-2022-22737: Race condition when playing audio files**

Reporter

bo13oy of Cyber Kunlun Lab

Impact

high

**Description**

Constructing audio sinks could have lead to a race condition when playing audio files and closing windows. This could have lead to a use-after-free causing a potentially exploitable crash.

**References**

*   Bug 1745874

**#CVE-2021-4140: Iframe sandbox bypass with XSLT**

Reporter

Peter Van der Beken

Impact

high

**Description**

It was possible to construct specific XSLT markup that would be able to bypass an iframe sandbox.

**References**

*   Bug 1746720

**#CVE-2022-22748: Spoofed origin on external protocol launch dialog**

Reporter

Alesandro Ortiz

Impact

moderate

**Description**

Malicious websites could have confused Thunderbird into showing the wrong origin when asking to launch a program and handling an external URL protocol.

**References**

*   Bug 1705211

**#CVE-2022-22745: Leaking cross-origin URLs through securitypolicyviolation event**

Reporter

Jannis Rautenstrauch

Impact

moderate

**Description**

Securitypolicyviolation events could have leaked cross-origin information for frame-ancestors violations

**References**

*   Bug 1735856

**#CVE-2022-22744: The 'Copy as curl' feature in DevTools did not fully escape website-controlled data, potentially leading to command injection**

Reporter

Mattias Jacobsson

Impact

moderate

**Description**

The constructed curl command from the "Copy as curl" feature in DevTools was not properly escaped for PowerShell. This could have lead to command injection if pasted into a Powershell prompt.  
_This bug only affects Firefox for Windows. Other operating systems are unaffected._

**References**

*   Bug 1737252

**#CVE-2022-22747: Crash when handling empty pkcs7 sequence**

Reporter

Tavis Ormandy

Impact

low

**Description**

After accepting an untrusted certificate, handling an empty pkcs7 sequence as part of the certificate data could have lead to a crash. This crash is believed to be unexploitable.

**References**

*   Bug 1735028

**#CVE-2022-22739: Missing throttling on external protocol launch dialog**

Reporter

Alesandro Ortiz

Impact

low

**Description**

Malicious websites could have tricked users into accepting launching a program to handle an external URL protocol.

**References**

*   Bug 1744158

**#CVE-2022-22751: Memory safety bugs fixed in Firefox 96 and Firefox ESR 91.5**

Reporter

Mozilla developers and community

Impact

high

**Description**

Mozilla developers Calixte Denizet, Kershaw Chang, Christian Holler, Jason Kratzer, Gabriele Svelto, Tyson Smith, Simon Giesecke, and Steve Fink reported memory safety bugs present in Firefox 95 and Firefox ESR 91.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 96 and Firefox ESR 91.5

CVE-2021-4140: Security Vulnerabilities fixed in Firefox ESR 91.5

An iframe that was not permitted to run scripts could do so if the user clicked on a <code>javascript:</code> link. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.

**Mozilla Foundation Security Advisory 2022-24**

Announced

June 28, 2022

Impact

high

Products

Firefox

Fixed in

*   Firefox 102

_Note_: While Bug 1771084 does not represent a specific vulnerability that was fixed, we recommend anyone rebasing patches to include it. 102 branch: Patch 1 and 2. 91 Branch: Patch 1 and 2 (Despite saying Parts 2 and 3, there is no Part 1)

**#CVE-2022-34479: A popup window could be resized in a way to overlay the address bar with web content**

Reporter

Irvan Kurniawan

Impact

high

**Description**

A malicious website that could create a popup could have resized the popup to overlay the address bar with its own content, resulting in potential user confusion or spoofing attacks.  
_This bug only affects Firefox for Linux. Other operating systems are unaffected._

**References**

*   Bug 1745595

**#CVE-2022-34470: Use-after-free in nsSHistory**

Reporter

Armin Ebert

Impact

high

**Description**

Session history navigations may have led to a use-after-free and potentially exploitable crash.

**References**

*   Bug 1765951

**#CVE-2022-34468: CSP sandbox header without \`allow-scripts\` can be bypassed via retargeted javascript: URI**

Reporter

Armin Ebert

Impact

high

**Description**

An iframe that was not permitted to run scripts could do so if the user clicked on a javascript: link.

**References**

*   Bug 1768537

**#CVE-2022-34482: Drag and drop of malicious image could have led to malicious executable and potential code execution**

Reporter

Attila Suszter

Impact

moderate

**Description**

An attacker who could have convinced a user to drag and drop an image to a filesystem could have manipulated the resulting filename to contain an executable extension, and by extension potentially tricked the user into executing malicious code. While very similar, this is a separate issue from CVE-2022-34483.

**References**

*   Bug 845880

**#CVE-2022-34483: Drag and drop of malicious image could have led to malicious executable and potential code execution**

Reporter

Eduardo Braun Prado

Impact

moderate

**Description**

An attacker who could have convinced a user to drag and drop an image to a filesystem could have manipulated the resulting filename to contain an executable extension, and by extension potentially tricked the user into executing malicious code. While very similar, this is a separate issue from CVE-2022-34482.

**References**

*   Bug 1335845

**#CVE-2022-34476: ASN.1 parser could have been tricked into accepting malformed ASN.1**

Reporter

Gustavo Grieco

Impact

moderate

**Description**

ASN.1 parsing of an indefinite SEQUENCE inside an indefinite GROUP could have resulted in the parser accepting malformed ASN.1.

**References**

*   Bug 1387919

**#CVE-2022-34481: Potential integer overflow in ReplaceElementsAt**

Reporter

Ronald Crane

Impact

moderate

**Description**

In the nsTArray_Impl::ReplaceElementsAt() function, an integer overflow could have occurred when the number of elements to replace was too large for the container.

**References**

*   Bug 1497246
*   Bug 1483699

**#CVE-2022-34474: Sandboxed iframes could redirect to external schemes**

Reporter

Amazon Malvertising Team

Impact

moderate

**Description**

Even when an iframe was sandboxed with allow-top-navigation-by-user-activation, if it received a redirect header to an external protocol the browser would process the redirect and prompt the user as appropriate.

**References**

*   Bug 1677138

**#CVE-2022-34469: TLS certificate errors on HSTS-protected domains could be bypassed by the user on Firefox for Android**

Reporter

Peter Gerber

Impact

moderate

**Description**

When a TLS Certificate error occurs on a domain protected by the HSTS header, the browser should not allow the user to bypass the certificate error. On Firefox for Android, the user was presented with the option to bypass the error; this could only have been done by the user explicitly.  
_This bug only affects Firefox for Android. Other operating systems are unaffected._

**References**

*   Bug 1721220

**#CVE-2022-34471: Compromised server could trick a browser into an addon downgrade**

Reporter

Rob Wu

Impact

moderate

**Description**

When downloading an update for an addon, the downloaded addon update's version was not verified to match the version selected from the manifest. If the manifest had been tampered with on the server, an attacker could trick the browser into downgrading the addon to a prior version.

**References**

*   Bug 1766047

**#CVE-2022-34472: Unavailable PAC file resulted in OCSP requests being blocked**

Reporter

Laurent Bigonville

Impact

moderate

**Description**

If there was a PAC URL set and the server that hosts the PAC was not reachable, OCSP requests would have been blocked, resulting in incorrect error pages being shown.

**References**

*   Bug 1770123

**#CVE-2022-34478: Microsoft protocols can be attacked if a user accepts a prompt**

Reporter

Gijs

Impact

moderate

**Description**

The ms-msdt, search, and search-ms protocols deliver content to Microsoft applications, bypassing the browser, when a user accepts a prompt. These applications have had known vulnerabilities, exploited in the wild (although we know of none exploited through Firefox), so in this release Firefox has blocked these protocols from prompting the user to open them.  
_This bug only affects Firefox on Windows. Other operating systems are unaffected._

**References**

*   Bug 1773717

**#CVE-2022-2200: Undesired attributes could be set as part of prototype pollution**

Reporter

Manfred Paul via Trend Micro's Zero Day Initiative

Impact

moderate

**Description**

If an object prototype was corrupted by an attacker, they would have been able to set undesired attributes on a JavaScript object, leading to privileged code execution.

**References**

*   Bug 1771381

**#CVE-2022-34480: Free of uninitialized pointer in lg\_init**

Reporter

Ronald Crane

Impact

low

**Description**

Within the lg_init() function, if several allocations succeed but then one fails, an uninitialized pointer would have been freed despite never being allocated.

**References**

*   Bug 1454072

**#CVE-2022-34477: MediaError message property leaked information on cross-origin same-site pages**

Reporter

jannis

Impact

low

**Description**

The MediaError message property should be consistent to avoid leaking information about cross-origin resources; however for a same-site cross-origin resource, the message could have leaked information enabling XS-Leaks attacks.

**References**

*   Bug 1731614

**#CVE-2022-34475: HTML Sanitizer could have been bypassed via same-origin script via use tags**

Reporter

Gareth Heyes

Impact

low

**Description**

SVG <use> tags that referenced a same-origin document could have resulted in script execution if attacker input was sanitized via the HTML Sanitizer API. This would have required the attacker to reference a same-origin JavaScript file containing the script to be executed.

**References**

*   Bug 1757210

**#CVE-2022-34473: HTML Sanitizer could have been bypassed via use tags**

Reporter

Armin Ebert

Impact

low

**Description**

The HTML Sanitizer should have sanitized the href attribute of SVG <use> tags; however it incorrectly did not sanitize xlink:href attributes.

**References**

*   Bug 1770888

**#CVE-2022-34484: Memory safety bugs fixed in Firefox 102 and Firefox ESR 91.11**

Reporter

Mozilla developers and community

Impact

high

**Description**

The Mozilla Fuzzing Team reported potential vulnerabilities present in Firefox 101 and Firefox ESR 91.10. Some of these bugs showed evidence of JavaScript prototype or memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 102 and Firefox ESR 91.11

**#CVE-2022-34485: Memory safety bugs fixed in Firefox 102**

Reporter

Mozilla developers and community

Impact

moderate

**Description**

Mozilla developers Bryce Seager van Dyk and the Mozilla Fuzzing Team reported potential vulnerabilities present in Firefox 101. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 102

CVE-2022-34468: Security Vulnerabilities fixed in Firefox 102

When scanning QR codes, Firefox for Android would have allowed navigation to some URLs that do not point to web content.<br>*This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 96.

**Mozilla Foundation Security Advisory 2022-01**

Announced

January 11, 2022

Impact

high

Products

Firefox

Fixed in

*   Firefox 96

**#CVE-2022-22746: Calling into reportValidity could have lead to fullscreen window spoof**

Reporter

Irvan Kurniawan

Impact

high

**Description**

A race condition could have allowed bypassing the fullscreen notification which could have lead to a fullscreen window spoof being unnoticed.  
_This bug only affects Firefox for Windows. Other operating systems are unaffected._

**References**

*   Bug 1735071

**#CVE-2022-22743: Browser window spoof using fullscreen mode**

Reporter

Irvan Kurniawan

Impact

high

**Description**

When navigating from inside an iframe while requesting fullscreen access, an attacker-controlled tab could have made the browser unable to leave fullscreen mode.

**References**

*   Bug 1739220

**#CVE-2022-22742: Out-of-bounds memory access when inserting text in edit mode**

Reporter

Irvan Kurniawan

Impact

high

**Description**

When inserting text while in edit mode, some characters might have lead to out-of-bounds memory access causing a potentially exploitable crash.

**References**

*   Bug 1739923

**#CVE-2022-22741: Browser window spoof using fullscreen mode**

Reporter

Irvan Kurniawan

Impact

high

**Description**

When resizing a popup while requesting fullscreen access, the popup would have become unable to leave fullscreen mode.

**References**

*   Bug 1740389

**#CVE-2022-22740: Use-after-free of ChannelEventQueue::mOwner**

Reporter

bo13oy of Cyber Kunlun Lab

Impact

high

**Description**

Certain network request objects were freed too early when releasing a network request handle. This could have lead to a use-after-free causing a potentially exploitable crash.

**References**

*   Bug 1742334

**#CVE-2022-22738: Heap-buffer-overflow in blendGaussianBlur**

Reporter

Atte Kettunen

Impact

high

**Description**

Applying a CSS filter effect could have accessed out of bounds memory. This could have lead to a heap-buffer-overflow causing a potentially exploitable crash.

**References**

*   Bug 1742382

**#CVE-2022-22737: Race condition when playing audio files**

Reporter

bo13oy of Cyber Kunlun Lab

Impact

high

**Description**

Constructing audio sinks could have lead to a race condition when playing audio files and closing windows. This could have lead to a use-after-free causing a potentially exploitable crash.

**References**

*   Bug 1745874

**#CVE-2021-4140: Iframe sandbox bypass with XSLT**

Reporter

Peter Van der Beken

Impact

high

**Description**

It was possible to construct specific XSLT markup that would be able to bypass an iframe sandbox.

**References**

*   Bug 1746720

**#CVE-2022-22750: IPC passing of resource handles could have lead to sandbox bypass**

Reporter

Jed Davis

Impact

moderate

**Description**

By generally accepting and passing resource handles across processes, a compromised content process might have confused higher privileged processes to interact with handles that the unprivileged process should not have access to.  
_This bug only affects Firefox for Windows and MacOS. Other operating systems are unaffected._

**References**

*   Bug 1566608

**#CVE-2022-22749: Lack of URL restrictions when scanning QR codes**

Reporter

Wladimir Palant working with Include Security

Impact

moderate

**Description**

When scanning QR codes, Firefox for Android would have allowed navigation to some URLs that do not point to web content.  
_This bug only affects Firefox for Android. Other operating systems are unaffected._

**References**

*   Bug 1705094

**#CVE-2022-22748: Spoofed origin on external protocol launch dialog**

Reporter

Alesandro Ortiz

Impact

moderate

**Description**

Malicious websites could have confused Firefox into showing the wrong origin when asking to launch a program and handling an external URL protocol.

**References**

*   Bug 1705211

**#CVE-2022-22745: Leaking cross-origin URLs through securitypolicyviolation event**

Reporter

Jannis Rautenstrauch

Impact

moderate

**Description**

Securitypolicyviolation events could have leaked cross-origin information for frame-ancestors violations

**References**

*   Bug 1735856

**#CVE-2022-22744: The 'Copy as curl' feature in DevTools did not fully escape website-controlled data, potentially leading to command injection**

Reporter

Mattias Jacobsson

Impact

moderate

**Description**

The constructed curl command from the "Copy as curl" feature in DevTools was not properly escaped for PowerShell. This could have lead to command injection if pasted into a Powershell prompt.  
_This bug only affects Firefox for Windows. Other operating systems are unaffected._

**References**

*   Bug 1737252

**#CVE-2022-22763: Script Execution during invalid object state**

Reporter

Mozilla Fuzzing Team

Impact

moderate

**Description**

When a worker is shutdown, it was possible to cause script to run late in the lifecycle, at a point after where it should not be possible.

**References**

*   Bug 1740534

**#CVE-2022-22747: Crash when handling empty pkcs7 sequence**

Reporter

Tavis Ormandy

Impact

low

**Description**

After accepting an untrusted certificate, handling an empty pkcs7 sequence as part of the certificate data could have lead to a crash. This crash is believed to be unexploitable.

**References**

*   Bug 1735028

**#CVE-2022-22736: Potential local privilege escalation when loading modules from the install directory.**

Reporter

Toshihito Kikuchi

Impact

low

**Description**

If Firefox was installed to a world-writable directory, a local privilege escalation could occur when Firefox searched the current directory for system libraries. However the install directory is not world-writable by default.  
_This bug only affects Firefox for Windows in a non-default installation. Other operating systems are unaffected._

**References**

*   Bug 1742692

**#CVE-2022-22739: Missing throttling on external protocol launch dialog**

Reporter

Alesandro Ortiz

Impact

low

**Description**

Malicious websites could have tricked users into accepting launching a program to handle an external URL protocol.

**References**

*   Bug 1744158

**#CVE-2022-22751: Memory safety bugs fixed in Firefox 96 and Firefox ESR 91.5**

Reporter

Mozilla developers and community

Impact

high

**Description**

Mozilla developers Calixte Denizet, Kershaw Chang, Christian Holler, Jason Kratzer, Gabriele Svelto, Tyson Smith, Simon Giesecke, and Steve Fink reported memory safety bugs present in Firefox 95 and Firefox ESR 91.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 96 and Firefox ESR 91.5

**#CVE-2022-22752: Memory safety bugs fixed in Firefox 96**

Reporter

Mozilla developers and community

Impact

moderate

**Description**

Mozilla developers Christian Holler and Jason Kratzer reported memory safety bugs present in Firefox 95. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 96

CVE-2022-22749: Security Vulnerabilities fixed in Firefox 96

A malicious website could have learned the size of a cross-origin resource that supported Range requests. This vulnerability affects Thunderbird < 91.10, Firefox < 101, and Firefox ESR < 91.10.

**Mozilla Foundation Security Advisory 2022-20**

Announced

May 31, 2022

Impact

high

Products

Firefox

Fixed in

*   Firefox 101

**#CVE-2022-31736: Cross-Origin resource's length leaked**

Reporter

Luan Herrera

Impact

high

**Description**

A malicious website could have learned the size of a cross-origin resource that supported Range requests.

**References**

*   Bug 1735923

**#CVE-2022-31737: Heap buffer overflow in WebGL**

Reporter

Atte Kettunen

Impact

high

**Description**

A malicious webpage could have caused an out-of-bounds write in WebGL, leading to memory corruption and a potentially exploitable crash.

**References**

*   Bug 1743767

**#CVE-2022-31738: Browser window spoof using fullscreen mode**

Reporter

Irvan Kurniawan

Impact

high

**Description**

When exiting fullscreen mode, an iframe could have confused the browser about the current state of fullscreen, resulting in potential user confusion or spoofing attacks.

**References**

*   Bug 1756388

**#CVE-2022-31739: Attacker-influenced path traversal when saving downloaded files**

Reporter

Chaobin Zhang

Impact

high

**Description**

When downloading files on Windows, the % character was not escaped, which could have lead to a download incorrectly being saved to attacker-influenced paths that used variables such as %HOMEPATH% or %APPDATA%.  
_This bug only affects Firefox for Windows. Other operating systems are unaffected._

**References**

*   Bug 1765049

**#CVE-2022-31740: Register allocation problem in WASM on arm64**

Reporter

Gary Kwong

Impact

high

**Description**

On arm64, WASM code could have resulted in incorrect assembly generation leading to a register allocation problem, and a potentially exploitable crash.

**References**

*   Bug 1766806

**#CVE-2022-31741: Uninitialized variable leads to invalid memory read**

Reporter

Cybeats PSI Team

Impact

high

**Description**

A crafted CMS message could have been processed incorrectly, leading to an invalid memory read, and potentially further memory corruption.

**References**

*   Bug 1767590

**#CVE-2022-31742: Querying a WebAuthn token with a large number of allowCredential entries may have leaked cross-origin information**

Reporter

Michal

Impact

moderate

**Description**

An attacker could have exploited a timing attack by sending a large number of allowCredential entries and detecting the difference between invalid key handles and cross-origin key handles. This could have led to cross-origin account linking in violation of WebAuthn goals.

**References**

*   Bug 1730434

**#CVE-2022-31743: HTML Parsing incorrectly ended HTML comments prematurely**

Reporter

Linus Särud

Impact

moderate

**Description**

Firefox's HTML parser did not correctly interpret HTML comment tags, resulting in an incongruity with other browsers. This could have been used to escape HTML comments on pages that put user-controlled data in them.

**References**

*   Bug 1747388

**#CVE-2022-31744: CSP bypass enabling stylesheet injection**

Reporter

Gertjan

Impact

moderate

**Description**

An attacker could have injected CSS into stylesheets accessible via internal URIs, such as resource:, and in doing so bypass a page's Content Security Policy.

**References**

*   Bug 1757604

**#CVE-2022-31745: Incorrect Assertion caused by unoptimized array shift operations**

Reporter

Lukas Bernhard

Impact

moderate

**Description**

If array shift operations are not used, the Garbage Collector may have become confused about valid objects.

**References**

*   Bug 1760944

**#CVE-2022-1919: Memory Corruption when manipulating webp images**

Reporter

Irvan Kurniawan

Impact

low

**Description**

An attacker could have caused an uninitialized variable on the stack to be mistakenly freed, causing a potentially exploitable crash.

**References**

*   Bug 1761275

**#CVE-2022-31747: Memory safety bugs fixed in Firefox 101 and Firefox ESR 91.10**

Reporter

Mozilla developers and community

Impact

high

**Description**

Mozilla developers Andrew McCreight, Nicolas B. Pierron, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 100 and Firefox ESR 91.9. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 101 and Firefox ESR 91.10

**#CVE-2022-31748: Memory safety bugs fixed in Firefox 101**

Reporter

Mozilla developers and community

Impact

high

**Description**

Mozilla developers Gabriele Svelto, Timothy Nikkel, Randell Jesup, Jon Coppeard, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 100. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 101

CVE-2022-31736: Security Vulnerabilities fixed in Firefox 101

Use tables inside of an iframe, an attacker could have caused iframe contents to be rendered outside the boundaries of the iframe, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.

Sorry, I can't find "_1792643?cve=title_". It does not seem like bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2022-45420: Invalid Bug ID

By confusing the browser, the fullscreen notification could have been delayed or suppressed, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox < 108.

Sorry, I can't find "_1795139?cve=title_". It does not seem like bug number nor an alias to a bug.

Please press **Back** and try again.

Tag

#firefox