Firefox 127 Patch 15 vulnerabilities, including critical flaws

Mozilla has released Firefox 127, addressing 15 vulnerabilities, including four high-severity issues, three of which are memory safety bugs. Below is a detailed overview of the vulnerabilities fixed in this update:

• CVE-2024-5687 (CVSS score 5.3):  Incorrect principal could have been used when opening new tabs. If a specific sequence of actions was performed when opening a new tab, the triggering principal associated with the new tab may have been incorrect. This could lead to incorrect security checks within the browser and incorrect or misleading information sent to remote websites. This bug affects only Firefox for Android.

• CVE-2024-5688 (CVSS score 9.8): Use-after-free in JavaScript object transplant. If garbage collection was triggered at the right time, a use-after-free could have occurred during object transplant.

• CVE-2024-5700 (CVSS score 9.8): Memory safety bugs fixed in Firefox 127, Firefox ESR 115.12, and Thunderbird 115.12.. Memory safety bugs present in Firefox 126, Firefox ESR 115.11, and Thunderbird 115.11. Some of these bugs showed evidence of memory corruption, and it is presumed that with enough effort, some could be exploited to run arbitrary code.

• CVE-2024-5701 (CVSS score 9.8): Memory safety bugs fixed in Firefox 127. Memory safety bugs present in Firefox 126. Some of these bugs showed evidence of memory corruption, and it is presumed that with enough effort, some could be exploited to run arbitrary code.

• CVE-2024-5689 (CVSS score 9.8): User confusion and possible phishing vector via Firefox Screenshots. A website could overlay the 'My Shots' button that appears when a user takes a screenshot, directing the user to a replica Firefox Screenshots page that could be used for phishing.

• CVE-2024-5690 (CVSS score 9.8): External protocol handlers leaked by timing attack. By monitoring the time certain operations take, an attacker could guess which external protocol handlers were functional on a user's system.

• CVE-2024-5691 (CVSS score 9.8): Sandboxed iframes could bypass sandbox restrictions to open a new window. By tricking the browser with an X-Frame-Options header, a sandboxed iframe could present a button that, if clicked by a user, would bypass restrictions to open a new window.

• CVE-2024-5692 (CVSS score 9.8): Bypass of file name restrictions during saving. On Windows, when using the 'Save As' functionality, an attacker could trick the browser into saving the file with a disallowed extension such as .url by including an invalid character in the extension.

• CVE-2024-5693 (CVSS score 9.8): Cross-origin image leak via Offscreen Canvas. Offscreen Canvas did not properly track cross-origin tainting, which could be used to access image data from another site in violation of same-origin policy.

• CVE-2024-5694 (CVSS score 9.8): Use-after-free in JavaScript Strings. An attacker could cause a use-after-free in the JavaScript engine to read memory in the JavaScript string section of the heap.

• CVE-2024-5695 (CVSS score 9.8): Memory corruption using allocation in out-of-memory conditions. If an out-of-memory condition occurs at a specific point using allocations in the probabilistic heap checker, an assertion could be triggered, and in rarer situations, memory corruption could occur.

• CVE-2024-5696 (CVSS score 9.8): Memory corruption in text fragments. By manipulating the text in an <input> tag, an attacker could cause memory corruption leading to a potentially exploitable crash.

• CVE-2024-5697 (CVSS score 9.8): Website was able to detect when Firefox was taking a screenshot. A website could detect when a user took a screenshot of a page using the built-in Screenshot functionality in Firefox.

• CVE-2024-5698 (CVSS score 4.3): Data-list could have overlaid address bar. By manipulating the fullscreen feature while opening a data-list, an attacker could overlay a text box over the address bar, leading to user confusion and possible spoofing attacks.

• CVE-2024-5699 (CVSS score 9.8): Cookie prefixes not treated as case-sensitive. Cookie prefixes such as __Secure were ignored if not correctly capitalized, violating spec which requires case-insensitive comparison. This could result in the browser not honoring the behaviors specified by the prefix.

Mozilla also announced the release of Firefox ESR 115.12, which addresses eight vulnerabilities, including seven fixed in Firefox 127. The additional high-severity vulnerability is:

• CVE-2024-5702 (CVSS score 9.8): Use-after-free issue in networking. Use-after-free issue in networking that could potentially be exploited.

No exploitation of these vulnerabilities in the wild has been reported. Users are encouraged to update to the latest Firefox version to ensure they are protected from these vulnerabilities. For more detailed information,