Jump to content
CCleaner Community Forums
nodles

The Firefox/Mozilla Thread

Recommended Posts

ff v69.0.1

 

18. sept. 2019

 

Fixed

  • Fixed external programs launching in the background when clicking a link from inside Firefox to launch them (bug 1570845)

  • Usability improvements to the Add-ons Manager for users with screen readers (bug 1567600)

  • Fixed the Captive Portal notification bar not being dismissable in some situations after login is complete (bug 1578633)

  • Fixed the maximum size of fonts in Reader Mode when zoomed (bug 1578454)

  • Fixed missing stacks in the Developer Tools Performance section (bug 1578354)

  • Security and stability fixes

Share this post


Link to post
Share on other sites

ff v69.0.2

 

03. oct. 2019

 

Fixed

  • Fixed a crash when editing files on Office 365 websites (bug 1579858)

  • Fixed detection of the Windows 10 Parental Controls feature being enabled (bug 1584613)

  • Fixed a Linux-only crash when changing the playback speed while watching YouTube videos (bug 1582222)

Share this post


Link to post
Share on other sites

ff v69.0.3

 

10. oct. 2019

 

Fixed

  • Fixed download errors for Windows 10 users with Parental Controls enabled (bug 1586228)

  • Fixed Yahoo mail users being prompted to download files when clicking on emails (bug 1582848)

Share this post


Link to post
Share on other sites

ff v68.2.0 esr

 

22. oct. 2019

 

Fixed

Enterprise

  • New administrative policies were added. More information and templates are available at the Policy Templates page.

 

 

Quote

 

CVE-2019-15903: Heap overflow in expat library in XML_GetCurrentLineNumber

Reporter
Sebastian Pipping
Impact
high
Description

In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early. A subsequent call to XML_GetCurrentLineNumber or XML_GetCurrentColumnNumber then resulted in a heap-based buffer over-read.

References

#CVE-2019-11757: Use-after-free when creating index updates in IndexedDB

Reporter
Zhanjia Song
Impact
high
Description

When following the value's prototype chain, it was possible to retain a reference to a locale, delete it, and subsequently reference it. This resulted in a use-after-free and a potentially exploitable crash.

References

#CVE-2019-11758: Potentially exploitable crash due to 360 Total Security

Reporter
Mozilla developers and community
Impact
high
Description

Mozilla community member Philipp reported a memory safety bug present in Firefox 68 when 360 Total Security was installed. This bug showed evidence of memory corruption in the accessibility engine and we presume that with enough effort that it could be exploited to run arbitrary code.

References

#CVE-2019-11759: Stack buffer overflow in HKDF output

Reporter
Guido Vranken
Impact
moderate
Description

An attacker could have caused 4 bytes of HMAC output to be written past the end of a buffer stored on the stack. This could be used by an attacker to execute arbitrary code or more likely lead to a crash.

References

#CVE-2019-11760: Stack buffer overflow in WebRTC networking

Reporter
Nils
Impact
moderate
Description

A fixed-size stack buffer could overflow in nrappkit when doing WebRTC signaling. This resulted in a potentially exploitable crash in some instances.

References

#CVE-2019-11761: Unintended access to a privileged JSONView object

Reporter
Cody Crews
Impact
moderate
Description

By using a form with a data URI it was possible to gain access to the privileged JSONView object that had been cloned into content. Impact from exposing this object appears to be minimal, however it was a bypass of existing defense in depth mechanisms.

References

#CVE-2019-11762: document.domain-based origin isolation has same-origin-property violation

Reporter
Kris Maglione
Impact
moderate
Description

If two same-origin documents set document.domain differently to become cross-origin, it was possible for them to call arbitrary DOM methods/getters/setters on the now-cross-origin window.

References

#CVE-2019-11763: Incorrect HTML parsing results in XSS bypass technique

Reporter
Gareth Heyes
Impact
moderate
Description

Failure to correctly handle null bytes when processing HTML entities resulted in Firefox incorrectly parsing these entities. This could have led to HTML comment text being treated as HTML which could have led to XSS in a web application under certain conditions. It could have also led to HTML entities being masked from filters - enabling the use of entities to mask the actual characters of interest from filters.

References

#CVE-2019-11764: Memory safety bugs fixed in Firefox 70 and Firefox ESR 68.2

Reporter
Mozilla developers and community
Impact
critical
Description

Mozilla developers and community members Bob Clary, Jason Kratzer, Aaron Klotz, Iain Ireland, Tyson Smith, Christian Holler, Steve Fink, Honza Bambas, Byron Campen, and Cristian Brindusan reported memory safety bugs present in Firefox 69 and Firefox ESR 68.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could be exploited to run arbitrary code.

References

 

  •  

Share this post


Link to post
Share on other sites

ff v70.0

 

22. oct. 2019

 

New

  • More privacy protections from Enhanced Tracking Protection:

  • More security protections from Firefox Lockwise, our digital identity and password management tool:

    • Lockwise for desktop lets you create, update, and delete your logins and passwords to sync across all your devices, including the Lockwise mobile apps and Firefox mobile browsers
.
    • Integrated breach alerts from Firefox Monitor, to alert you when saved logins and passwords are compromised in online data breaches.
    • Complex password generation, to help you create and save strong passwords for new online accounts.
  • Improvements to core engine components, for better browsing on more sites

    • A faster Javascript Baseline Interpreter to handle the modern web’s
      large codebases and improve page load performance by as much as 8
      percent.
    • WebRender rolled out to more Firefox for Windows users, now available by default on Windows desktops with integrated Intel graphics cards and resolution of 1920x1200 or less) for improved graphics rendering.
    • Compositor improvements in Firefox for macOS that reduce power
      consumption, speed up page load by as much as 22 percent, and reduce
      resource use for video by up to 37 percent.
  • More browser features to help you get the most out of Firefox products and services

    • A stand-alone Firefox account menu for easy access to Firefox services like Monitor and Send.
    • A message panel accessed from the gift icon in the toolbar that offers a quick overview of new releases and key features.
    • When a website uses your geolocation, an indicator is shown in the
      address bar.

Fixed

Changed

  • Built-in Firefox pages now follow the system dark mode preference

  • Aliased theme properties have been removed, which may affect some themes

  • Passwords can now be imported from Chrome on macOS in addition to existing support for Windows

  • Readability is now greatly improved on under- or overlined texts, including links. The lines will now be interrupted instead of crossing over a glyph.

  • Improved privacy and security indicators

    • A new crossed-out lock icon will indicate sites delivered via
      insecure HTTP
    • The formerly green lock icon is now grey
    • The Extended Validation (EV) indicator has been moved to the identity
      popup that appears when clicking the lock icon

Developer

  • Developer Information
  • Developer Information
    For additional developer resources from Mozilla, visit our Mozilla Developer YouTube channel for new videos every week.

  • The Developer Tools Accessibility panel now includes an audit for keyboard accessibility and a color deficiency simulator for systems with WebRender enabled

  • Inactive CSS: The Inspector now grays out CSS declarations that don’t affect the selected element and shows a tooltip explaining why -- and even how to fix it.

  • The new DOM Mutation Breakpoints in Developer Tools allows developers to diagnose when scripts add, remove or update page content. This makes debugging of complex script interactions and dependencies a lot easier.

  • WebExtensions developers can now inspect browser.storage.local data using the "Addon Debugging" Firefox Developer Tools.

  • With new network resource search in Developer Tools, you can quickly find resources based on their request and response data, including headers, cookies and content.

unresolved

Share this post


Link to post
Share on other sites

ff v70.0.1

 

31. oct. 2019

 

Fixed

  • Fix for an issue that caused some websites or page elements using dynamic JavaScript to fail to load. (Bug 1592136)

  • Update OpenH264 video plugin for macOS 10.15 users (Bug 1587543)

  • Title bar no longer shows in full screen view (Bug 1588747)

Changed

  • OpenH264 video codec version bump for macOS 10.15 users (Bug 1587543)

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...