Firefox 129 fixes 14 flaws, 11 high severity

Mozilla Foundation has addressed multiple security vulnerabilities in Firefox 129, with several marked as high impact. These vulnerabilities could be exploited by attackers to compromise user security and privacy. Details of the high-impact vulnerabilities are as follows:

High Impact Vulnerabilities (per Mozilla evaluation)

1. CVE-2024-7518: Fullscreen Notification Dialog Obscured by Document Content. Certain options could obscure the fullscreen notification dialog, enabling malicious sites to perform spoofing attacks.

2. CVE-2024-7519: Out of Bounds Memory Access in Graphics Shared Memory Handling. Insufficient checks during graphics shared memory processing could lead to memory corruption and potentially allow sandbox escapes.

3. CVE-2024-7520: Type Confusion in WebAssembly. A type confusion bug in WebAssembly could be exploited to achieve code execution.

4. CVE-2024-7521: Incomplete WebAssembly Exception Handling. Incomplete exception handling in WebAssembly could lead to a use-after-free vulnerability.

5. CVE-2024-7522: Out of Bounds Read in Editor Component. Failure to check an attribute value in the editor component could result in an out-of-bounds read.

6. CVE-2024-7523: Document Content Could Partially Obscure Security Prompts. Select options could partially obscure security prompts, potentially tricking users into granting permissions. This affects only the Android versions of Firefox.

7. CVE-2024-7524: CSP Strict-Dynamic Bypass Using Web-Compatibility Shims. Web-compatibility shims added by Firefox in place of blocked tracking scripts could be used by attackers to bypass CSP strict-dynamic protections via DOM Clobbering attacks.

8. CVE-2024-7525: Missing Permission Check When Creating a StreamFilter. A web extension with minimal permissions could create a StreamFilter to read and modify the response body of requests on any site.

9. CVE-2024-7526: Uninitialized Memory Used by WebGL. Failure to initialize parameters in WebGL could lead to reading from uninitialized memory, potentially leaking sensitive data.

10. CVE-2024-7527: Use-After-Free in JavaScript Garbage Collection. Unexpected marking work at the start of sweeping in JavaScript garbage collection could lead to a use-after-free vulnerability.

11. CVE-2024-7528: Use-After-Free in IndexedDB. Incorrect garbage collection interaction in IndexedDB could lead to a use-after-free vulnerability.

Moderate and Low Impact Vulnerabilities (per Mozilla evaluation)

• CVE-2024-7529: Document Content Could Partially Obscure Security Prompts. The date picker could partially obscure security prompts, potentially tricking users into granting permissions.

• CVE-2024-7530: Use-After-Free in JavaScript Code Coverage Collection. Incorrect garbage collection interaction could lead to a use-after-free vulnerability.

• CVE-2024-7531: PK11_Encrypt Using CKM_CHACHA20 Can Reveal Plaintext on Intel Sandy Bridge Machines. Using the same buffer for input and output in PK11_Encrypt() with CKM_CHACHA20 on Intel Sandy Bridge processors could reveal plaintext, affecting QUIC header protection.

Users are advised to update their browser to the latest version.