The Mozilla Foundation has patched six High risk vulnerabilities in Firefox 95, as well as added a new security feature, RLBox, that hardens Firefox against third party library vulnerabilities.
An attacker could exploit these vulnerabilities to take control of impacted systems.
As part of Mozilla Foundation Security Advisory 2021-52, Firefox 95 addressed the following six High severity vulnerabilities:
- CVE-2021-43536: URL leakage when navigating while executing asynchronous function.
- CVE-2021-43537: Heap buffer overflow when using structured clone.
- CVE-2021-43538: Missing fullscreen and pointer lock notification when requesting both.
- CVE-2021-43539: GC rooting failure when calling wasm instance methods.
- MOZ-2021-0010: Use-after-free in fullscreen objects on MacOS.
- MOZ-2021-0009: Memory safety bugs fixed in Firefox 95 and Firefox ESR 91.4.
The memory safety bugs could allow an attacker to exploit and then run arbitrary code. To add, five other Moderate and two Low severity vulnerabilities were also patched.
Moreover, the latest release of Firefox 95 includes a number of new features and security improvements. For instance, Firefox now includes RLBox, a new technology that hardens Firefox against potential security vulnerabilities in third-party libraries.
RLBox was developed in collaboration with researchers at the University of California San Diego and the University of Texas.
Finally, Mozilla also released security updates for Firefox ESR 91.4.0, and Thunderbird 91.4.0.