-
Posts
2,544 -
Joined
-
Last visited
Posts posted by trium
-
-
ff v102.4.0 esr
18. oct 2022
Fixed
-
Various stability, functionality, and security fixes.
QuoteSecurity Vulnerabilities fixed in Firefox ESR 102.4
- Announced October 18, 2022
- Impact high
- Products Firefox ESR
- Fixed in
-
- Firefox ESR 102.4
#CVE-2022-42927: Same-origin policy violation could have leaked cross-origin URLs
- Reporter James Lee
- Impact high
Description
A same-origin policy violation could have allowed the theft of cross-origin URL entries, leaking the result of a redirect, via
performance.getEntries()
.References
#CVE-2022-42928: Memory Corruption in JS Engine
- Reporter Samuel Groß
- Impact high
Description
Certain types of allocations were missing annotations that, if the Garbage Collector was in a specific state, could have lead to memory corruption and a potentially exploitable crash.
References
#CVE-2022-42929: Denial of Service via window.print
- Reporter Andrei Enache
- Impact moderate
Description
If a website called
window.print()
in a particular way, it could cause a denial of service of the browser, which may persist beyond browser restart depending on the user's session restore settings.References
#CVE-2022-42932: Memory safety bugs fixed in Firefox 106 and Firefox ESR 102.4
- Reporter Mozilla developers and community
- Impact moderate
Description
Mozilla developers Ashley Hale and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 105 and Firefox ESR 102.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
References
-
-
ff v106.0
18. oct 2022
New
-
It is now possible to edit PDFs: including writing text, drawing, and adding signatures.
-
Setting Firefox as your default browser now also makes it the default PDF application on Windows systems.
-
You can now pin private windows to your Windows taskbar on Window 10 and Windows 11 for simpler access. Also, private windows have been redesigned to increase the feeling of privacy.
-
Swipe-to-navigate (two fingers on a touchpad swiped left or right to perform history back or forward) now works for Linux users on Wayland.
-
Text Recognition in images allows users on macOS 10.15 and higher to extract text from the selected image (such as a meme or screenshot).
Extracted text is copied to the clipboard in order to share, store, or search—without needing to manually retype everything.
-
This feature is compatible with “VoiceOver,” the built-in macOS
screen reader. - For more information, check out our SUMO article.
-
This feature is compatible with “VoiceOver,” the built-in macOS
-
“Firefox View” helps you get back to content you previously discovered. A pinned tab allows you to find and open recently closed tabs on your current device, access tabs from other devices (via our “Tab Pickup” feature), and change the look of the browser (with Colorways).
- For more information, read our SUMO article.
-
With the launch of the “Independent Voices” collection, Firefox is introducing 18 new “Colorways.” You can now access a “Colorways” modal experience via “Firefox View”; each new color is accompanied with a bespoke graphic and a text description that speaks to its deeper meaning. The collection will be available through Jan 16.
- For more information, check out our SUMO article.
Fixed
-
Various security fixes.
Developer
Web Platform
-
A major upgrade to our WebRTC capabilities (libwebrtc library upgraded from version 86 to 103) brings multiple improvements:
- Better screen sharing for Windows and Linux Wayland users.
- Lower CPU usage and increased frame rates during WebRTC screen capture on macOS.
- RTP performance and reliability improvements.
- Richer statistics.
- Cross-browser and service compatibility improvements.
Unresolved
-
We are investigating an increase in crashes reported by users with AMD Zen 1 CPUs(fixed in 106.0.1). -
We are investigating hangs with Firefox installed from the Windows Store(fixed in 106.0.2). -
We are investigating with Microsoft hangs experienced by Firefox users on Windows 11 version 22H2 triggered when performing certain copy actions on page content. Our support article provides a temporary workaround until we release a fix for this issue(fixed in 106.0.3).
-
-
ff v105.0.3
07. oct 2022
Fixed
-
Mitigated frequent crashes for Windows users with Avast or AVG Antivirus software installed (bug 1794064)
-
-
ff v105.0.2
04. oct 2022
Fixed
-
Fixed poor contrast on various menu items with certain themes on Linux systems (bug 1792063)
-
Fixed the scrollbar appearing on the wrong side of
select
elements in right-to-left locales (bug 1791219) -
Fixed a possible deadlock when loading some sites in Troubleshoot Mode (bug 1786259)
-
Fixed a bug causing some dynamic appearance changes to not appear when expected (bug 1786521)
-
Fixed a bug causing theme styling to not be properly applied to sidebars for some add-ons in Private Browsing Mode (bug 1787543)
-
-
ff v105.0.1
23. sept 2022
Fixed
-
Reverted focus behavior for new windows back to the content area instead of the address bar (bug 1784692)
-
-
ff v102.3.0 esr
20. sept 2022
Fixed
-
Various stability, functionality, and security fixes.
QuoteSecurity Vulnerabilities fixed in Firefox ESR 102.3
- Announced September 20, 2022
- Impact high
- Products Firefox ESR
- Fixed in
-
- Firefox ESR 102.3
#CVE-2022-3266: Out of bounds read when decoding H264
- Reporter Willy R. Vasquez at UT Austin
- Impact high
Description
An out-of-bounds read can occur when decoding H264 video. This results in a potentially exploitable crash.
References
#CVE-2022-40959: Bypassing FeaturePolicy restrictions on transient pages
- Reporter Armin Ebert
- Impact high
Description
During iframe navigation, certain pages did not have their FeaturePolicy fully initialized leading to a bypass that leaked device permissions into untrusted subdocuments.
References
#CVE-2022-40960: Data-race when parsing non-UTF-8 URLs in threads
- Reporter Armin Ebert
- Impact high
Description
Concurrent use of the URL parser with non-UTF-8 data was not thread-safe. This could lead to a use-after-free causing a potentially exploitable crash.
References
#CVE-2022-40958: Bypassing Secure Context restriction for cookies with __Host and __Secure prefix
- Reporter Axel Chong (@Haxatron)
- Impact moderate
Description
By injecting a cookie with certain special characters, an attacker on a shared subdomain which is not a secure context could set and thus overwrite cookies from a secure context, leading to session fixation and other attacks.
References
#CVE-2022-40956: Content-Security-Policy base-uri bypass
- Reporter Satoki Tsuji
- Impact low
Description
When injecting an HTML base element, some requests would ignore the CSP's base-uri settings and accept the injected element's base instead.
References
#CVE-2022-40957: Incoherent instruction cache when building WASM on ARM64
- Reporter Gary Kwong
- Impact low
Description
Inconsistent data in instruction and data cache when creating wasm code could lead to a potentially exploitable crash.
This bug only affects Firefox on ARM64 platforms.References
#CVE-2022-40962: Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3
- Reporter Mozilla developers and community
- Impact high
Description
Mozilla developers Nika Layzell, Timothy Nikkel, Sebastian Hengst, Andreas Pehrson, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 104 and Firefox ESR 102.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
References
-
-
ff v105.0
20. sept 2022
New
-
Added an option to print only the current page from the print preview dialog.
-
Firefox now supports partitioned service workers in third-party contexts. You can register service workers in a third-party iframe and it will be partitioned under the top-level domain.
-
Swipe to navigate (two fingers on a touchpad swiped left or right to perform history back or forward) on Windows is now enabled.
-
Firefox is now compliant with the User Timing L3 specification, which adds additional optional arguments to the
performance.mark
andperformance.measure
methods to provide custom start times, end times, duration, and attached details. -
Searching in large lists for individual items is now 2x faster. This performance enhancement replaces array.includes and array.indexOf with an optimized SIMD version.
Fixed
-
Stability on Windows is significantly improved as Firefox handles low-memory situations much better.
-
Touchpad scrolling on macOS was made more accessible by reducing unintended diagonal scrolling opposite of the intended scroll axis.
-
Firefox is less likely to run out of memory on Linux and performs more efficiently for the rest of the system when memory runs low.
-
Various security fixes.
Developer
Web Platform
-
Support for the Offscreen Canvas DOM API with full context and font support. The OffscreenCanvas API provides a canvas that can be rendered off-screen in both Window and Web Worker contexts.
-
-
uBOLite_1.0.23.6195
github-actions released this
19. Jun 2023
Release notes
- Fix various minor quirks
- Updated filter lists
-
-
ublock v1.50.0
github-actions released this
07. Jun 2023
Fixes / changes
-
Add support to remove attributes in
xml-prune
scriptlet -
Fix/improve
href-sanitizer
scriptlet -
Add
evaldata-prune
scriptlet -
Add support for
xhr
inxml-prune
-
Add
remove-node-text.js
scriptlet -
Add
trusted-set-constant
scriptlet - Support injecting scriptlet in MAIN or ISOLATED world
-
Add trusted-source support for privileged scriptlets (and add
replace-node-text
scriptlet) -
Add
spoof-css
scriptlet - Add back AdGuard Tracking Protection
- Expand/harden some scriptlets
- Return string when storage.sync.get() promise fails
-
Do not bail out when
content-disposition
isinline
- Fix improperly unselecting imported lists
- Report injected scriptlets in troubleshooting information
- Fix rendering issue of row-filter icon in popup panel
- Add "scriptlet" filter expression to logger
- Fix hostname-detecting regex
- Add support for sublists in "Filter lists" pane
- Properly handle converted procedural filters in logger
- Mind small screen size in asset viewer
- Add thunderbird as target for installation
- Add ability to execute aeld scriptlet at a later time
- Move hostname label to top of popup panel
- Offer opportunity to update filter lists before reporting issue
-
Fix compiling of negated regex-based
to=
domain
-
Add support to remove attributes in
-
uBOLite_0.1.23.6055
github-actions released this
05. Jun 2023
Release notes
- Fix issue with updateContentScripts API and other fixes
-
Mitigation: Inject CSS user styles to enforce cosmetic filtering
- Virtuous side effect is to fix cosmetic filtering in Firefox.
-
Refactor content scripts related to specific cosmetic filtering
-
As a result, two annoyances-related lists have been added:
- EasyList -- Cookies
- EasyList -- Annoyances
-
As a result, two annoyances-related lists have been added:
- Extend scriplet filtering support to all scriptlets
- Updated filter lists
-
uBOLite_0.1.23.5226
github-actions released this
22. Mar 2023
Release notes
- Fix sticky blocking mode
- Updated filter lists
-
-
ublock v1.49.0
github-actions released this
18. Apr 2023
Fixes / changes
- Make the toolbar warning timeout configurable
- Better integrate suspend-network with unprocessed-request
- Properly detect incorrect usage of CSS combinators
- Wrap usage of setTimeout in helper for background + auxiliary pages
- Start using browser.alarms instead of setTimeout() where applicable
- Fix improper detection of quotes in quoted strings
- Add matched cosmetic filters in troubleshooting information
- Add infrastructure for static filter syntax linter
-
Make
object
equivalent offrame
for dynamic filtering purpose -
Enforce implicit media type for filters using
mp4
option - Better detect invalid network filter patterns
- Support view source of "other" type
- Add widget to filter firewall rows in popup panel
- Add support for negated hostnames in HTML filters
- Aggressively auto update assets when at least one is very obsolete
-
Normalize non-ASCII characters in
:matches-path()
argument - Refactor scriptlets injection code
- Properly handle default list status changes in assets.json
-
ublock v1.48.8
github-actions released this
12. Apr 2023
Notes
This release mostly benefits Chromium-based browsers. I haven't decided yet if it's worth publishing this release on AMO since the main issue addressed here does not affect Firefox.
Fixes / changes
-
-
-
-
ublock v1.48.0
github-actions released this
21. Mar 2023
New
Readiness status at browser launch
uBO's readiness at browser launch time is a particularly prickly issue on Chromium-based browsers,[1] especially more so since Chromium 110. This leads to numerous reports of "uBlock stopped working", which are simply caused by the fact that at launch time the browser started to load webpages before uBO was ready to filter properly (because the filter lists were not fully loaded in memory).
To reduce the number of reports caused by this issue which is outside of uBO's control, uBO's toolbar icon will now reflect its readiness status at browser launch (i.e. make visible to users what has always been happening):
-
A yellowish toolbar icon means that uBO is currently loading all filter lists into memory and as such is not ready to filter properly:
-
If additionally there is a yellowish
!
badge while uBO is working toward readiness, this means network requests were fired by the browser which could not be processed by uBO, potentially leading to ads/trackers/etc. not being filtered in some of the already opened webpages:
-
Once uBO is ready to filter properly, a yellowish
!
badge on a normally colored toolbar icon means that the current webpage was not filtered properly at browser launch, potentially causing the current webpage to be afflicted by ads/trackers/etc.:
-
To remediate the browser launch filtering issue on a given webpage, you can simply force a reload of that webpage, which as a result will bring back the badge to be rendered as expected:
For Chromium-based browsers, it is possible to automate step 4 above by checking the setting Suspend network activity until all filter lists are loaded in Filter lists pane in the dashboard. Caveat: in the past some users have reported this negatively interfered with page loading at browser launch time in some cases (example, example), hence why it is optional and not enabled by default in Chromium-based browsers.
With Firefox-based browsers, you should typically only see step 1 and 4 above, unless you disabled the setting Suspend network activity until all filter lists are loaded, which is enabled by default in Firefox.
[1] See uBlock Origin works best on Firefox / Browser launch
Code viewer
Investigating filter issues can be a serious time sink, and to help with this, a code viewer has been added to uBO. The code viewer will automatically beautify HTML/CSS/JS code, which should be an improvement over the browser built-in
view-source
tool.You can view beautified source code of HTML/CSS/JS resources when clicking the link in a logger entry. Additionally, if the advanced setting
filterAuthorMode
is set totrue
, an entry labelled View source code... will be added to the context menu, so that you can view the source code of any page/resource without having to open the logger.Fixes / changes
- Fix broken http header filtering
- Prevent dashboard from loading at browser launch until ready
- Support removing whole lines of text with regex in m3u-prune scriptlet
- Fix broken filter parsing when prepended with spaces
-
Context of
about:blank
is that of parent frame (popup
option) -
Add experimental
href-sanitizer
scriptlet - Prevent dialog box from overflowing logger's viewport
-
Make parser take into account
filterOnHeaders
setting - Show a distinct toolbar icon until filtering engines are fully initialized
- Add source code viewer
-
-
-
-
uBOLite_0.1.23.3038
github-actions released this
03. Mar 2023
Release notes
-
Fix an issue which might have prevented some
redirect
filters from being properly triggered (cd21a0b) - Updated filter lists
-
Fix an issue which might have prevented some
-
-
uBOLite_0.1.23.2176
github-actions released this
17. Feb 2023
Release notes
- Updated filter lists
- Translation work
The Firefox/Mozilla Thread
in Software
Posted
ff v106.0.1
20. oct 2022
Fixed
Addresses a crash experienced by users with AMD Zen 1 CPUs. (bug 1796126)