Jump to content
CCleaner Community Forums
nodles

The Firefox/Mozilla Thread

Recommended Posts

https://blog.nightly.mozilla.org/2019/05/22/these-weeks-in-firefox-issue-59/

 These Weeks in Firefox: Issue 59
lina May 22, 2019

No responses yet
Highlights

    Wow, what a weekend! Hopefully your add-ons are all working now.
        A small set of users are still reporting add-on outages. We suspect that the Master Password and Anti-virus software are interfering with the original fix for those users. We’ve released 66.0.5 to try to handle those cases.
    Outreachy interns for this summer have been announced
        Mozilla is mentoring 8 students in this round. Thank you to all the mentors and all the applicants!
    The Google Summer of Code students and projects have been publicly announced! Check out what folks will be working on this summer!
    MattN wrote a blog post summarizing the Password Manager Improvements in Firefox 67

Friends of the Firefox team

Here’s a list of all resolved bugs.
Fixed more than one bug

    Chris Frey [:nautilus]
    Florens Verschelde :fvsch
    Kestrel
    lloan:[lloanalas]
    Mohd Umar Alam [:umaralam48]
    Neha
    Tim Nguyen :ntim

New contributors (🌟 = first patch)

    Chujun Lu fixed a bug where pressing the Enter key when putting a conditional breakpoint into the Debugger would incorrectly cause a linebreak
    🌟 DILIP fixed a spelling mistake in one of our console warning messages
    Chris Frey [:nautilus] converted the toolbar context menu strings to Fluent, and also fixed two other Fluent-related bugs
    jaril fixed a glitch where sometimes the Debugger would break on an exception unexpectedly
    Mariana Meireles got rid of some dead code in AboutRedirector
    🌟 Ananth fixed up a styling glitch in the Web Console for console.assert strings
    🌟 Myeongjun Go made it so that a better error message is emitted when WebExtensions attempt to insert a bookmark folder into the root folder
    🌟 Thomas made it so that we truncate very long strings in the DevTools Inspector info bar rather than let them overflow past the end of the screen
    🌟 Mohd Umar Alam [:umaralam48] made it so that the Synced Tabs toggle shows an option to “Hide” in the Synced Tabs list when the sidebar is open, and fixed a glitch where the History Sidebar toggle label was missing

Project Updates
Activity Stream

    A new Contextual Feature Recommendation for Sync is coming to the bookmark Star UI

"Sync your bookmarks everywhere" recommendation in the star UI

    A lot of improvements and fixes to the new Pocket New Tab, specifically around network failure states.

Add-ons / Web Extensions

    Rob Wu added browser console warnings in 68 for proxy APIs that will be deprecated in 71.
    Mark Striemer has finished nearly everything remaining for HTML about:addons MVP for 68.
    Shane Caraveo added cookieStoreId to webRequest APIs and exposed the private browsing flag in proxy/webRequest details.
    Luca Greco added the ability to submit an abuse report on an installed extension from about:addons.
    Kris Maglione fixed the theme header background image caching issue for converted LWTs (since they’re all static themes now).
    …and everyone is reviewing like crazy to get things in 68 as planned because this weekend was “relaxing downtime” before soft code freeze.

Applications
Lockwise

    Rebranding going on this week.
    The team is working on polishing the extension for an initial release, and then integrating the extension into desktop Firefox.

Firefox Accounts

    Ed and Vlad are finalizing the sign-in UX for Fenix, our next-generation Android browser 🚦
    Ed landed Rust APIs for FxA device registration and New Send Tab. Grisha is working on integrating this into Android Components so that Fenix can use it 📑

Sync and Storage

    Mark has an RFC for a sync manager in Rust, to orchestrate syncing of multiple data types 🔄
    Thom landed code to import Firefox for iOS bookmarks into the Rust bookmarks component. The next iOS release will use the bookmarks component, and offer bookmark editing! 🔖
    Ed is continuing to migrate our crypto backend to NSS 🔒
    Lina has been working on adding telemetry for Android and iOS 🔍, and enabled the new bookmark sync by default in Nightly and Beta 📚

Push

    Jonathan and JR are bringing Push for internal Mozilla consumers (New Send Tab, FxA verification) to Fenix! 📣

Browser Architecture

    RKV conversions have been rolled back for now while we investigate issues migrating from 32-bit to 64-bit builds.
    browser.html conversion ready to go, but waiting until the next cycle.
    Fluent cache for chrome documents ready to land. This will fix corner cases where DOM mutations might not trigger Fluent updates.

Developer Tools
Console

    Jefry Lagrange added a way to export console output to a file in bug 1517728.
    “Copy as Fetch” and “Use in console” have been added to the network monitor context menu in bug 1540054.
    When CSS warnings are displayed in the console, you can now expand them (like a console group) to reveal all the DOM nodes that this warning applies to. So it allows you to jump from a CSS warning in the console directly to the inspector.

Screenshot of expanded CSS warning showing affected elements
Debugger

    Work on DOM & Event breakpoints started
    Progress with captured stacks for various errors appearing in the Console panel (for web developers) or Browser Console window (for browser + addon developers).

Network

    Local HTTP requests are marked as secure now (bug).

Screenshot of `localhost` with green lock icon in Network monitor
Remote Debugging

    DevTools shortcuts now supported in about:devtools-toolbox (bug)
    Favicons and user friendly titles for about:debugging and about:devtools-toolbox (bug)

Screenshot of wrench and window favicons for debugging and toolbox

    Closable error messages (and UI cleanup) (bug)

Screenshot of "connection failed" error and "connection still pending" warning with close buttons
Documentation

    New MDN page for Logpoints
    Set a breakpoint page updated to show column breakpoints

Fission

    Subframe crashing UI landed
    Here’s a video demonstration
    Enn is working on getting BrowserTabChild ported to Fission
    mconley is going to work on getting PermitUnload working properly with out-of-process iframes

Lint

    l1nt, which checks for common mistakes in en-US files, and warns on ID conflicts between central/beta/release, is now enabled.
        Example on phabricator: https://phabricator.services.mozilla.com/D29001
        autoland: https://treeherder.mozilla.org/#/jobs?repo=autoland&resultStatus=testfailed%2Cbusted%2Cexception%2Cretry%2Cusercancel%2Crunnable&group_state=expanded&revision=2f1af0a1f129d6af5073c1b53fd15bc5bacb50b0&selectedJob=245063123

Mobile
Android Components

    Support for built-in WebExtensions has been added! The new Reader View feature component (in Fenix and Reference Browser) is built on top of this.

Password Manager

    Work continues on the breakdown of integrating the new management UI, a base patch for the desktop implementation is ready to land.
    Minimal scope for password generation via autocomplete was defined and most bugs have been filed.
    Data on adoption of autocomplete=“new-password” was gathered as part of the password generation investigation.

Performance

    New startup main-thread IO test will be enabled on non-debug Desktop builds soon!
    Patch to not load userContent.css in the parent process landed and bounced. After some discussion, we’ve decided to put loading userChrome.css and userContent.css behind a default-off pref
        This should allow us to avoid searching the disk for those files on start-up for users that don’t have those customizations, which will improve start-up performance.
        aswan did some detective work and found some nice places where we can improve start-up time in the AddonManager for brand new profiles
    dthayer is investigating compressing various things with lz4 rather than deflate
    Gijs has a patch underway to avoid reading chrome.manifest files when not necessary
    Gijs made file renaming / moving cheaper on Windows in the common case

Performance tools

    Welcoming Raj Meghpara, our new GSoC student! He’s going to work on Instruments import support for Firefox Profiler.
    Network tooltips are now displayed as soon as the line is hovered.
    The publishing flow has been streamlined (ux issue)

New look of publish panel in Firefox Profiler with inverted checkboxes

    More tools in the web console:

List of available profiler information in the console

    MOZ_PROFILER_HELP env variable gives help to profile Firefox startup.

Picture-in-Picture

    Holding to Nightly while we iterate.
    Please keep filing bugs against this meta bug if you notice anything strange. Thanks!
    Fixed
        Clicking on the Picture-in-Picture toggle no longer sends mouse events to content
        The toggle no longer appears when in fullscreen
        The controls (mostly) disappear after 3 seconds on the player window when not hovering
        Fixed strange borders showing up when switching focus between the player window and other windows
        Made the player window easier to resize
    Soon to be fixed
        Player buttons look strange on “tall” videos
        RTL support
        Keyboard accessibility
        And loads of polish!

Privacy/Security

    To combat malicious malware sites, Paul made us disallow add-on installation prompts in full-screen.
    Because it went so well, we are going to extend our experiment for requiring user interaction for Notification permission prompts to Beta.
        Another blog post coming soon
        We also landed the telemetry pieces to do the announced release measurements on permission prompt usage in 67 release. This will hopefully allow us to narrow down on a set of good heuristics for automatically blocking.
    Prathikshalanded the first piece of her internship project to simplify and robust-ify the way about:certerror communicates with the parent process.
    Jonas continues to remove all the eval() usage in our chrome-privileged code.
    Small improvements to DNS over HTTPS UI in settings/preferences let you pick from resolvers

Search and Navigation
Search

    Looking into consequences and prevention after the add-ons certificate problem: Search Service initialization should be more robust
    New Baidu search code deployed as system add-on

Quantum Bar

    Fixed 19 Bugs in the last 2 weeks
    Quantum Bar is enabled by default in Firefox 68 🎉🎉🎉
    Still working on a few remaining bugs
    Designing and discussing WebExtension APIs for the first experiment

Bleeding edge browsing

Download Firefox Nightly

Share this post


Link to post
Share on other sites
Quote

 

Google views ad blocking as a business risk and restricts ad blocking in Chrome

but with Mozilla's Firefox browser, uBlock Origin, uMatrix and Privacy Badger will continue to work. :-)

 

 

Share this post


Link to post
Share on other sites

So essentially then this version of SRWare Iron I'm using is the last version then if it the dev doesn't modify/undo what Google is doing.

Share this post


Link to post
Share on other sites

The new firefox branding seems to be launching

logo-master-wordmark-dark.9969bf7e6192.s

 

 

Share this post


Link to post
Share on other sites

belated ff 67.0.2 ...

 

11. juni 2019

 

Fixed

  • Fix JavaScript error ("TypeError: data is null in PrivacyFilter.jsm") in console which may significantly degrade sessionstore reliability and performance (bug 1553413)

  • Proxy authentication dialog box repeatedly pops up asking to authenticate after upgrading to Firefox 67 (bug 1548804)

  • Pearson MyCloud breaks if FIDO U2F is not Chrome's implementation (bug 1551282)

  • Starting in safe mode on Linux or macOS causes Firefox to think on the subsequent launch that the profile is too recent to be used with this version of Firefox (bug 1556612)

  • Linux distribution users can't easily install/use additional/different languages using the built-in preferences UI (bug 1554744)

  • Developer tools users can't copy the href/src content from various HTML tags via the context menu in the Inspector markup view (bug 1552275)

  • Custom home page is broken with clearing data on shutdown settings applied (bug 1554167)

  • Performance-regression for eclipse RAP based applications (bug 1555962)

  • macOS 10.15 crash fix (bug 1556076)

  • Can't start two downloads in parallel via <a download> anymore (bug 1542912)

Share this post


Link to post
Share on other sites

ff v60.7.1 esr

 

18. juni 2019

 

Fixed

Quote

A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw.

Developer

Share this post


Link to post
Share on other sites

ff v60.7.2 esr

 

20. june 2019

 

Fixed

 

Quote

CVE-2019-11708: sandbox escape using Prompt:Open

Reporter
Coinbase Security
Impact
high
Description

Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the user's computer.

 

Share this post


Link to post
Share on other sites
Quote

Windows Background Intelligent Transfer Service (BITS) responsible for downloading Windows Updates is going to download Firefox updates in the background even when the browser is not running or closed in upcoming Firefox release. Mozilla to use BITS for Firefox 68 to update browser whereas from version 70 onwards they are going to use BITS via a dedicated “Background Update agent” to install Firefox updates.

 

https://techdows.com/2019/06/mozilla-to-use-bits-and-a-background-update-agent-to-update-firefox-on-windows.html

Share this post


Link to post
Share on other sites
6 hours ago, hazelnut said:

"the agent is aimed at users on slow connections"

I'm not buying that. That's an almost non-existent issue in this day and age. My cynical side thinks this will be for more than one way traffic <_<

Share this post


Link to post
Share on other sites
6 minutes ago, JDPower said:

"the agent is aimed at users on slow connections"

I'm not buying that. That's an almost non-existent issue in this day and age. My cynical side thinks this will be for more than one way traffic <_<

Obviously you've never been in rural america where even broadband speeds are as slow as a 1990s' modem

Share this post


Link to post
Share on other sites
17 minutes ago, Nergal said:

Obviously you've never been in rural america where even broadband speeds are as slow as a 1990s' modem

It's not exactly a rising issue that needs addressing. It's a bit like making the entire planet take vitamin C tablets cos there are still some people that get scurvy.

And those people in rural America have presumably coped perfectly well updating their browser for the last 20 years. Just doesn't add up to cynical old me ^_^

Share this post


Link to post
Share on other sites

Enabling BITS on nightly for me results in the update downloading only after pages have loaded

Share this post


Link to post
Share on other sites

ff v68.0

 

09. july 2019

 

New

  • Dark mode in reader view expands so that windows are also dark on the controls, sidebars and toolbars.

  • Improved extension security and discovery:

    • New reporting feature in about:addons allows you to report security and performance issues with extensions and themes.
    • Redesigned extensions dashboard in about:addons provides easy access to information about your extensions, including data and settings access required by each extension.
    • Find high quality, secure extensions via the Recommended Extensions program in about:addons, which now displays user count and ratings for each extension. "Recommended” badges for these extensions also appear on AMO. More extensions will be added over time.
  • Cryptomining and fingerprinting protections are added to strict content blocking settings in Privacy & Security preferences.

  • WebRender will roll out to Windows 10 users with AMD graphics cards.

  • Windows Background Intelligent Transfer Service (BITS) update download support, which allows Firefox update downloads to continue when Firefox is closed.

Fixed

  • Various security fixes

  • Local files can no longer access other files in the same directory.

Changed

  • Unified existing locales (bn-BD, bn-IN) under a single Bengali (bn) localization.

  • The following unmaintained translations have been removed: Assamese (as), English - South Africa (en-ZA), Maithili (mai), Malayalam (ml), Odia (or). Existing users will be migrated to the British English (en-GB) version.

  • When an HTTPS error caused by antivirus software is detected, Firefox will attempt to automatically fix it

  • Camera and microphone access now require an HTTPS connection.

  • The way non-default preferences are synced has changed. Please see this support article for more details

Enterprise

  • For all operating systems, we have a number of additional policies including:

    • New tab page configuration and disabling
    • Local file links
    • Download behavior
    • Search suggestions
    • Managed storage for using policies in Webextensions
    • Extension whitelisting and blacklisting by ID and website
    • A subset of commonly used Firefox preferences

    You can see a full list of policies here.

Developer

  • Firefox Developer Tools now offers a full page color contrast audit that identifies all elements on a page that fail color contrast checks.

  • Added about:compat, where website-specific workarounds are listed and may be toggled. These workarounds are meant as temporary fixes for various forms of website breakage for Firefox, while the website fixes them in due time. With about:compat, it is now easy to see all of the workarounds that are active in Firefox, and easy for website developers to disable a given workaround for testing purposes.

  • Introduces CSS Scroll Snap module that enforces scroll snap positions.

unresolved

  • The new URL bar implementation does not handle javascript: bookmarklets triggered via bookmark keywords correctly yet (bug 1552141)

Share this post


Link to post
Share on other sites

ff v60.8.0 esr

 

09. july 2019

 

Fixed

 

Security vulnerabilities fixed in Firefox ESR 60.8

Announced
July 9, 2019
Impact
critical
Products
Firefox ESR
Fixed in
  • Firefox ESR 60.8

#CVE-2019-9811: Sandbox escape via installation of malicious language pack

Reporter
Niklas Baumstark
Impact
high
Description

As part of his winning Pwn2Own entry, Niklas Baumstark demonstrated a sandbox escape by installing a malicious language pack and then opening a browser feature that used the compromised translation.

References

#CVE-2019-11711: Script injection within domain through inner window reuse

Reporter
Boris Zbarsky
Impact
high
Description

When an inner window is reused, it does not consider the use of document.domain for cross-origin protections. If pages on different subdomains ever cooperatively use document.domain, then either page can abuse this to inject script into arbitrary pages on the other subdomain, even those that did not use document.domain to relax their origin security.

References

#CVE-2019-11712: Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects

Reporter
Gregory Smiley of Security Compass
Impact
high
Description

POST requests made by NPAPI plugins, such as Flash, that receive a status 308 redirect response can bypass CORS requirements. This can allow an attacker to perform Cross-Site Request Forgery (CSRF) attacks.

References

#CVE-2019-11713: Use-after-free with HTTP/2 cached stream

Reporter
Hanno Böck
Impact
high
Description

A use-after-free vulnerability can occur in HTTP/2 when a cached HTTP/2 stream is closed while still in use, resulting in a potentially exploitable crash.

References

#CVE-2019-11729: Empty or malformed p256-ECDH public keys may trigger a segmentation fault

Reporter
Jonas Allmann
Impact
moderate
Description

Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used.

References

#CVE-2019-11715: HTML parsing error can contribute to content XSS

Reporter
Linus Särud
Impact
moderate
Description

Due to an error while parsing page content, it is possible for properly sanitized user input to be misinterpreted and lead to XSS hazards on web sites in certain circumstances.

References

#CVE-2019-11717: Caret character improperly escaped in origins

Reporter
Tyson Smith
Impact
moderate
Description

A vulnerability exists where the caret ("^") character is improperly escaped constructing some URIs due to it being used as a separator, allowing for possible spoofing of origin attributes.

References

#CVE-2019-11719: Out-of-bounds read when importing curve25519 private key

Reporter
Henry Corrigan-Gibbs
Impact
moderate
Description

When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure.

References

#CVE-2019-11730: Same-origin policy treats all files in a directory as having the same-origin

Reporter
Luigi Gubello
Impact
moderate
Description

A vulnerability exists where if a user opens a locally saved HTML file, this file can use file: URIs to access other files in the same directory or sub-directories if the names are known or guessed. The Fetch API can then be used to read the contents of any files stored in these directories and they may uploaded to a server. Luigi Gubello demonstrated that in combination with a popular Android messaging app, if a malicious HTML attachment is sent to a user and they opened that attachment in Firefox, due to that app's predictable pattern for locally-saved file names, it is possible to read attachments the victim received from other correspondents.

References

#CVE-2019-11709: Memory safety bugs fixed in Firefox 68 and Firefox ESR 60.8

Reporter
Mozilla developers and community
Impact
critical
Description

Mozilla developers and community members Andreea Pavel, Christian Holler, Honza Bambas, Jason Kratzer, and Jeff Gilbert reported memory safety bugs present in Firefox 67 and Firefox ESR 60.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code.

References

Share this post


Link to post
Share on other sites

ff v68.0 esr

 

09. july 2019

 

New

  • A number of features improve the browser experience in enterprise settings.

    • MSI installer file type is included in this release, helping make deployments in the Windows environment easier and more flexible.
    • Configuration profiles in macOS
    • The ability to read added certificates roots from the macOS Keychain

    • For all operating systems, we have a number of additional policies including:

    • New tab page configuration and disabling
    • Local file links
    • Download behavior
    • Search suggestions
    • Managed storage for using policies in Webextensions
    • Extension configuration (allow/deny) by ID and website
    • A subset of commonly used Firefox preferences

    You can see a full list of policies here.

  • User and enterprise added certificates are read from the operating system by default.

Fixed

  • Local files can no longer access other files in the same directory.

Changed

unresolved

  • Windows Background Intelligent Transfer Service (BITS) update download for proxy users with authentication will fall back to legacy update system on Windows (bug 1561200)

  • Service workers and push notifications remain disabled in Firefox ESR

Share this post


Link to post
Share on other sites

I jupdated to 68.0.1 and the contrast changed; all the screen colours in the Firefox browser now look 'washed out'.

Has anybody else been affected in this way?

EDIT.
Looks as if it may not have been FFx that caused this.
I had installed some CAD software yesterday, reverting back to the restore point from that installation seems to have cleared the issue.

Share this post


Link to post
Share on other sites

ff v68.0.1

 

18. july 2019

 

New

  • macOS releases are now signed by the Apple notary service, allowing Firefox to properly run on macOS 10.15 Beta releases

Fixed

  • Fixed missing Full Screen button when watching videos in full screen mode on HBO GO (bug 1562837)

  • Fixed a bug causing incorrect messages to appear for some locales when sites try to request the use of the Storage Access API (bug 1558503)

  • Users in Russian regions may have their default search engine changed (bug 1565315)

  • Built-in search engines in some locales do not function correctly (bug 1565779)

Developer

 
______________________________________________________________________________________________________________________________________________________________
belated
ff v68.0.2
 
14. aug 2019
 

Fixed

  • Fixed a bug causing some special characters to be cut off from the end of the search terms when searching from the URL bar (bug 1560228)

  • Allow fonts to be loaded via file:// URLs when opening a page locally (bug 1565942)

  • Printing emails from the Outlook web app no longer prints only the header and footer (bug 1567105)

  • Fixed a bug causing some images not to be displayed on reload, including on Google Maps (bug 1565542)

  • Fixed an error when starting external applications configured as URI handlers (bug 1567614)

  • Security fixes

 

Share this post


Link to post
Share on other sites

ff v68.0.1 esr

 

18. july 2019

 

the same as ff v68.0.1

and

Enterprise

  • Enterprise Policy improvements:

    • SupportMenu policy doesn't always work (bug 1553290)
    • Allow the new ExtensionSettings policy to work with GPO on Windows (bug 1553586)
    • Allow the privacy.file_unique_origin pref to be controlled by policy (bug 1563759)

Share this post


Link to post
Share on other sites

ff v69.0

 

03. sept 2019

 

Quote

As of today, Enhanced Tracking Protection will be turned on by default, strengthening the security and privacy for all of our users around the world.

 

New

  • Enhanced Tracking Protection (ETP) rolls out stronger privacy protections:

    • The default standard setting for this feature now blocks third-party tracking cookies and cryptominers.
    • The optional strict setting blocks fingerprinters as well as the items blocked in the standard setting.
  • The Block Autoplay feature is enhanced to give users the option to block any video that automatically starts playing, not just those that automatically play with sound.

  • For our users in the US or using the en-US browser, we are shipping a new “New Tab” page experience that connects you to the best of Pocket’s content.

  • Support for the Web Authentication HmacSecret extension via Windows Hello now comes with this release, for versions of Windows 10 May 2019 or newer, enabling more passwordless experiences on the web.

  • Support for receiving multiple video codecs with this release makes it easier for WebRTC conferencing services to mix video from different clients.

  • For our users on Windows 10, you’ll see performance and UI improvements:

    • Firefox will give Windows hints to appropriately set content process priority levels, meaning more processor time spent on the tasks you're actively working on, and less processor time spent on things in the background (with the exception of video and audio playback).
    • For our existing Windows 10 users, you can easily find and launch Firefox from a shortcut on the Win10 taskbar.
  • For our users on macOS, battery life and download UI are both improved:

    • macOS users on dual-graphics-card machines (like MacBook Pro) will switch back to the low-power GPU more aggressively, saving battery life.
    • Finder on macOS now displays download progress for files being downloaded.
  • JIT support comes to ARM64 for improved performance of our JavaScript Optimizing JIT compiler.

Fixed

Changed

  • As previously announced in the Plugin Roadmap for Firefox, the "Always Activate" option for Flash plugin content has been removed. Firefox will now always ask for user permission before activating Flash content on a website.

  • With the deprecation of Adobe Flash Player, there is no longer a need to identify users on 32-bit version of the Firefox browser on 64-bit version operating systems reducing user agent fingerprinting factors providing greater level of privacy to our users as well as improving the experience of downloading other apps.

  • Firefox no longer loads userChrome.css or userContent.css by default improving start-up performance. Users who wish to customize Firefox by using these files can set the toolkit.legacyUserProfileCustomizations.stylesheets preference to true to restore this ability.

Enterprise

  • For Enterprise system administrators that manage macOS computers, we begin shipping a Mozilla signed PKG installer to simplify your deployments.

Share this post


Link to post
Share on other sites

ff v60.9.0 esr

 

03. sept 2019

 

Fixed

Developer

 

 

Quote

 

Security vulnerabilities fixed in Firefox ESR 60.9

Announced
September 3, 2019
Impact
critical
Products
Firefox ESR
Fixed in
  • Firefox ESR 60.9

#CVE-2019-11746: Use-after-free while manipulating video

Reporter
Nils
Impact
high
Description

A use-after-free vulnerability can occur while manipulating video elements if the body is freed while still in use. This results in a potentially exploitable crash.

References

#CVE-2019-11744: XSS by breaking out of title and textarea elements using innerHTML

Reporter
Rakesh Mane
Impact
high
Description

Some HTML elements, such as <title> and <textarea>, can contain literal angle brackets without treating them as markup. It is possible to pass a literal closing tag to .innerHTML on these elements, and subsequent content after that will be parsed as if it were outside the tag. This can lead to XSS if a site does not filter user input as strictly for these elements as it does for other elements.

References

#CVE-2019-11742: Same-origin policy violation with SVG filters and canvas to steal cross-origin images

Reporter
Paul Stone
Impact
high
Description

A same-origin policy violation occurs allowing the theft of cross-origin images through a combination of SVG filters and a <canvas> element due to an error in how same-origin policy is applied to cached image content. The resulting same-origin policy violation could allow for data theft.

References

#CVE-2019-11753: Privilege escalation with Mozilla Maintenance Service in custom Firefox installation location

Reporter
Holger Fuhrmannek
Impact
high
Description

The Firefox installer allows Firefox to be installed to a custom user writable location, leaving it unprotected from manipulation by unprivileged users or malware. If the Mozilla Maintenance Service is manipulated to update this unprotected location and the updated maintenance service in the unprotected location has been altered, the altered maintenance service can run with elevated privileges during the update process due to a lack of integrity checks. This allows for privilege escalation if the executable has been replaced locally.
Note: This attack requires local system access and only affects Windows. Other operating systems are not affected.

References

#CVE-2019-11752: Use-after-free while extracting a key value in IndexedDB

Reporter
Zhanjia Song
Impact
high
Description

It is possible to delete an IndexedDB key value and subsequently try to extract it during conversion. This results in a use-after-free and a potentially exploitable crash.

References

#CVE-2019-9812: Sandbox escape through Firefox Sync

Reporter
Niklas Baumstark via TrendMicro's Zero Day Initiative
Impact
high
Description

Given a compromised sandboxed content process due to a separate vulnerability, it is possible to escape that sandbox by loading accounts.firefox.com in that process and forcing a log-in to a malicious Firefox Sync account. Preference settings that disable the sandbox are then synchronized to the local machine and the compromised browser would restart without the sandbox if a crash is triggered.

References

#CVE-2019-11743: Cross-origin access to unload event attributes

Reporter
Yoav Weiss
Impact
moderate
Description

Navigation events were not fully adhering to the W3C's "Navigation-Timing Level 2" draft specification in some instances for the unload event, which restricts access to detailed timing attributes to only be same-origin. This resulted in potential cross-origin information exposure of history through timing side-channel attacks.

References

#CVE-2019-11740: Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox ESR 60.9

Reporter
Mozilla developers and community
Impact
high
Description

Mozilla developers and community members Tyson Smith and Nathan Froyd reported memory safety bugs present in Firefox 68, Firefox ESR 68, and Firefox 60.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code.

References

 

 

Share this post


Link to post
Share on other sites

Operating Systems (32-bit and 64-bit)

  • Windows 7
  • Windows 8
  • Windows 10

Recommended Hardware

  • Pentium 4 or newer processor that supports SSE2
  • 512MB of RAM / 2GB of RAM for the 64-bit version <---
  • 200MB of hard drive space

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...