Mozilla Firefox has rolled out version 120, addressing a total of 10 vulnerabilities, including six categorized as 'High Severity,' along with two moderate and low severity issues.
Key Highlights of Changes to Firefox 120
- The update introduces a Global Privacy Control setting.
- Users now have the option to import data from Chromium Snap.
- A new feature allows users to copy links without including site tracking information.
- The Picture-in-Picture mode on Windows and Linux now supports corner snapping.
- The release includes the addition of a new feature in the Developer Tools.
- TLS trust anchors can now be imported.
- Improvements have been made in private windows and the ETP-Strict privacy configuration.
High Severity Flaws Addressed
There were several high-severity issues that were reported upon testing and are now fixed. They are:
This vulnerability allowed for an out-of-bounds read and memory data leakage into images created on the canvas element. Reported by JSec of Hayyim Security.
The bug permitted the use of a MessagePort after it had been freed, potentially leading to an exploitable crash. Reported by Yangkang of the 360 ATA Team.
This issue involved a black fade animation during exit from fullscreen, potentially leading to clickjacking. Reported by Hafiizh.
A Use-after-free in ReadableByteStreamQueueEntry::Buffer was fixed. Reported by Yangkang of the 360 ATA Team.
A memory safety bug was fixed in Firefox 120, ESR 115.5, and Thunderbird 115.5.
Firefox 120 has addressed memory safety issues, which is the flaw identified as CVE-2023-6213. Developers for Mozilla reported both of the bugs with high severity.
In addition, memory safety issues were addressed, and developers at Mozilla reported evidence of memory corruption. There's a presumption that with sufficient effort, some of these could have been exploited to run arbitrary code.
Moderate and Low Severity Issues
Moderate Severity Issues that were addressed include:
Using the Selection API would copy contents into X11 primary selection.
Incorrect parsing of relative URLs starting with.
Low Severity Issues Addressed
Clickjacking to load insecure pages in HTTPS-only mode.
For those interested, Firefox 120 is available for download on the Mozilla website, compatible with Windows, macOS, and Linux.