The Mozilla Foundation has patched two Critical risk vulnerabilities in Firefox 100.0.2.
An attacker could exploit these vulnerabilities to take control of impacted systems.
As part of Mozilla Foundation Security Advisory 2022-19, Firefox 100.0.2 addressed the following Critical severity vulnerabilities:
- CVE-2022-1802: Prototype pollution in Top-Level Await implementation
- CVE-2022-1529: Untrusted input used in JavaScript object indexing, leading to prototype pollution.
“If an attacker was able to corrupt the methods of an Array object in JavaScript via prototype pollution, they could have achieved execution of attacker-controlled JavaScript code in a privileged context,” Mozilla wrote in the advisory for CVE-2022-1802.
Regarding CVE-2022-1529, Mozilla warned that “an attacker could have sent a message to the parent process where the contents were used to double-index into a JavaScript object, leading to prototype pollution and ultimately attacker-controlled JavaScript executing in the privileged parent process.”
Each of the issues are also fixed in Firefox ESR 91.9.1, Firefox for Android 100.3, and Thunderbird 91.9.1.
Related Articles
- Mozilla releases Firefox 100 with fixes for 6 High severity vulnerabilities
- CISA adds 11 vulnerabilities to Known Exploited Vulnerabilities Catalog (including recent Firefox zero-days)