Mozilla has released Firefox 116, Firefox ESR 115.1, and Firefox ESR 102.14, which include patches for multiple high-severity vulnerabilities.
A total of 14 CVEs, nine of which are rated ‘high severity’. Three of the CVEs refer to memory safety bugs in Firefox.
The second vulnerability tracked as CVE-2023-4046, which is described as the use of an incorrect value during WASM compilation. In some circumstances, a stale value could have been used for a global variable in WASM JIT analysis. This resulted in incorrect compilation and a potentially exploitable crash in the content process.
The third vulnerability tracked as CVE-2023-4047, a permission request bypass via clickjacking. A page could trick users into clicking on a carefully placed item but instead register the input as a click on a security dialog that was not displayed to the user.
Other high-severity vulnerabilities include
- CVE-2023-4048 (an out-of-bounds read flaw causing DOMParser to crash when deconstructing a crafted HTML file),
- CVE-2023-4049 (race conditions leading to potentially exploitable use-after-free vulnerabilities), and
- CVE-2023-4050 (stack buffer overflow in storage manager potentially leading to a sandbox escape).
Mozilla also resolved three memory safety bugs tracked as CVE-2023-4056, CVE-2023-4057, and CVE-2023-4058, which could lead to arbitrary code execution.
Mozilla makes no mention of any of these vulnerabilities being exploited in attacks.