The Mozilla Foundation has patched nine High risk vulnerabilities in Firefox 96, as well as new security protections to guard against Cross-Site Request Forgery (CSRF) attacks.
An attacker could exploit these vulnerabilities to take control of impacted systems.
As part of Mozilla Foundation Security Advisory 2022-01, Firefox 96 addressed the following nine High severity vulnerabilities:
- CVE-2022-22746: Calling into reportValidity could have lead to fullscreen window spoof
- CVE-2022-22743: Browser window spoof using fullscreen mode
- CVE-2022-22742: Out-of-bounds memory access when inserting text in edit mode
- CVE-2022-22741: Browser window spoof using fullscreen mode
- CVE-2022-22740: Use-after-free of ChannelEventQueue::mOwner
- CVE-2022-22738: Heap-buffer-overflow in blendGaussianBlur
- CVE-2022-22737: Race condition when playing audio files
- CVE-2021-4140: Iframe sandbox bypass with XSLT
- CVE-2022-22751: Memory safety bugs fixed in Firefox 96 and Firefox ESR 91.5.
The memory safety bugs could allow an attacker to exploit and then run arbitrary code. To add, six other Moderate and three Low severity vulnerabilities were also patched.
None of the vulnerabilities had known public exploits.
Finally, the latest Firefox 96 version includes security enhancements to enforce the Cookie Policy: Same-Site=lax by default which helps defend against Cross-Site Request Forgery (CSRF) attacks.