Security Advisories for Firefox
Impact key
- Critical Vulnerability can be used to run attacker code and install software, requiring no user interaction beyond normal browsing.
- High Vulnerability can be used to gather sensitive data from sites in other windows or inject data or code into those sites, requiring no more than normal browsing actions.
- Moderate Vulnerabilities that would otherwise be High or Critical except they only work in uncommon non-default configurations or require the user to perform complicated and/or unlikely steps.
- Low Minor security vulnerabilities such as Denial of Service attacks, minor data leaks, or spoofs. (Undetectable spoofs of SSL indicia would have "High" impact because those are generally used to steal sensitive data intended for other sites.)
# Fixed in Firefox 133
# Fixed in Firefox 132
# Fixed in Firefox 131.0.3
# Fixed in Firefox 131.0.2
# Fixed in Firefox 131
# Fixed in Firefox 130
# Fixed in Firefox 129
# Fixed in Firefox 128
# Fixed in Firefox 127
# Fixed in Firefox 126
# Fixed in Firefox 125
# Fixed in Firefox 124.0.1
# Fixed in Firefox 124
# Fixed in Firefox 123
# Fixed in Firefox 122
# Fixed in Firefox 121
# Fixed in Firefox 120
# Fixed in Firefox 119
# Fixed in Firefox 118.0.1
# Fixed in Firefox 118
# Fixed in Firefox 117.0.1
# Fixed in Firefox 117
# Fixed in Firefox 116
# Fixed in Firefox 115.0.2
# Fixed in Firefox 115
# Fixed in Firefox 114
# Fixed in Firefox 113
# Fixed in Firefox 112
# Fixed in Firefox 111
# Fixed in Firefox 110
# Fixed in Firefox 109
# Fixed in Firefox 108
# Fixed in Firefox 107
# Fixed in Firefox 106
# Fixed in Firefox 105
# Fixed in Firefox 104
# Fixed in Firefox 103
# Fixed in Firefox 102
# Fixed in Firefox 101
# Fixed in Firefox 100.0.2
# Fixed in Firefox 100
# Fixed in Firefox 99
# Fixed in Firefox 98
# Fixed in Firefox 97.0.2
# Fixed in Firefox 97
# Fixed in Firefox 96
# Fixed in Firefox 95
# Fixed in Firefox 94
# Fixed in Firefox 93
# Fixed in Firefox 92
# Fixed in Firefox 91.0.1
# Fixed in Firefox 91
# Fixed in Firefox 90
# Fixed in Firefox 89.0.1
# Fixed in Firefox 89
# Fixed in Firefox 88.0.1
# Fixed in Firefox 88
# Fixed in Firefox 87
# Fixed in Firefox 86
# Fixed in Firefox 85.0.1
# Fixed in Firefox 85
# Fixed in Firefox 84.0.2
# Fixed in Firefox 84
# Fixed in Firefox 83
# Fixed in Firefox 82.0.3
- 2020-49 Security Vulnerabilities fixed in Firefox 82.0.3, Firefox ESR 78.4.1, and Thunderbird 78.4.2
# Fixed in Firefox 82
# Fixed in Firefox 81
# Fixed in Firefox 80
# Fixed in Firefox 79
# Fixed in Firefox 78.0.2
# Fixed in Firefox 78
# Fixed in Firefox 77
# Fixed in Firefox 76
# Fixed in Firefox 75
# Fixed in Firefox 74.0.1
# Fixed in Firefox 74
# Fixed in Firefox 73
# Fixed in Firefox 72.0.1
# Fixed in Firefox 72
# Fixed in Firefox 71
# Fixed in Firefox 70
# Fixed in Firefox 69.0.1
# Fixed in Firefox 69
# Fixed in Firefox 68.10.1
# Fixed in Firefox 68.0.2
# Fixed in Firefox 68
# Fixed in Firefox 67.0.4
# Fixed in Firefox 67.0.3
# Fixed in Firefox 67.0.2
# Fixed in Firefox 67
# Fixed in Firefox 66.0.1
# Fixed in Firefox 66
# Fixed in Firefox 65.0.1
# Fixed in Firefox 65
# Fixed in Firefox 64
# Fixed in Firefox 63
# Fixed in Firefox 62.0.3
# Fixed in Firefox 62.0.2
# Fixed in Firefox 62
# Fixed in Firefox 61
# Fixed in Firefox 60.0.2
# Fixed in Firefox 60
# Fixed in Firefox 59.0.2
# Fixed in Firefox 59.0.1
# Fixed in Firefox 59
# Fixed in Firefox 58.0.1
# Fixed in Firefox 58
# Fixed in Firefox 57.0.4
# Fixed in Firefox 57.0.2
# Fixed in Firefox 57.0.1
# Fixed in Firefox 57
# Fixed in Firefox 56
# Fixed in Firefox 55
# Fixed in Firefox 54
# Fixed in Firefox 53.0.2
# Fixed in Firefox 53
# Fixed in Firefox 52.0.1
# Fixed in Firefox 52
# Fixed in Firefox 51.0.3
# Fixed in Firefox 51
# Fixed in Firefox 50.1
# Fixed in Firefox 50.0.2
# Fixed in Firefox 50.0.1
# Fixed in Firefox 50
# Fixed in Firefox 49.0.2
# Fixed in Firefox 49
# Fixed in Firefox 48
- 2016-84 Information disclosure through Resource Timing API during page navigation
- 2016-83 Spoofing attack through text injection into internal error pages
- 2016-82 Addressbar spoofing with right-to-left characters on Firefox for Android
- 2016-81 Information disclosure and local file manipulation through drag and drop
- 2016-80 Same-origin policy violation using local HTML file and saved shortcut file
- 2016-79 Use-after-free when applying SVG effects
- 2016-78 Type confusion in display transformation
- 2016-77 Buffer overflow in ClearKey Content Decryption Module (CDM) during video playback
- 2016-76 Scripts on marquee tag can execute in sandboxed iframes
- 2016-75 Integer overflow in WebSockets during data buffering
- 2016-74 Form input type change from password to text can store plain text password in session restore file
- 2016-73 Use-after-free in service workers with nested sync events
- 2016-72 Use-after-free in DTLS during WebRTC session shutdown
- 2016-71 Crash in incremental garbage collection in JavaScript
- 2016-70 Use-after-free when using alt key and toplevel menus
- 2016-69 Arbitrary file manipulation by local user through Mozilla updater and callback application path parameter
- 2016-68 Out-of-bounds read during XML parsing in Expat library
- 2016-67 Stack underflow during 2D graphics rendering
- 2016-66 Location bar spoofing via data URLs with malformed/invalid mediatypes
- 2016-65 Cairo rendering crash due to memory allocation issue with FFmpeg 0.10
- 2016-64 Buffer overflow rendering SVG with bidirectional content
- 2016-63 Favicon network connection can persist when page is closed
- 2016-62 Miscellaneous memory safety hazards (rv:48.0 / rv:45.3)
# Fixed in Firefox 47
- 2016-61 Network Security Services (NSS) vulnerabilities
- 2016-60 Java applets bypass CSP protections
- 2016-59 Information disclosure of disabled plugins through CSS pseudo-classes
- 2016-58 Entering fullscreen and persistent pointerlock without user permission
- 2016-57 Incorrect icon displayed on permissions notifications
- 2016-56 Use-after-free when textures are used in WebGL operations after recycle pool destruction
- 2016-55 File overwrite and privilege escalation through Mozilla Windows updater
- 2016-54 Partial same-origin-policy through setting location.host through data URI
- 2016-53 Out-of-bounds write with WebGL shader
- 2016-52 Addressbar spoofing though the SELECT element
- 2016-51 Use-after-free deleting tables from a contenteditable document
- 2016-50 Buffer overflow parsing HTML5 fragments
- 2016-49 Miscellaneous memory safety hazards (rv:47.0 / rv:45.2)
# Fixed in Firefox 46
- 2016-48 Firefox Health Reports could accept events from untrusted domains
- 2016-47 Write to invalid HashMap entry through JavaScript.watch()
- 2016-46 Elevation of privilege with chrome.tabs.update API in web extensions
- 2016-45 CSP not applied to pages sent with multipart/x-mixed-replace
- 2016-44 Buffer overflow in libstagefright with CENC offsets
- 2016-43 Disclosure of user actions through JavaScript with motion and orientation sensors
- 2016-42 Use-after-free and buffer overflow in Service Workers
- 2016-41 Content provider permission bypass allows malicious application to access data
- 2016-40 Privilege escalation through file deletion by Maintenance Service updater
- 2016-39 Miscellaneous memory safety hazards (rv:46.0 / rv:45.1 / rv:38.8)
# Fixed in Firefox 45
- 2016-38 Out-of-bounds write with malicious font in Graphite 2
- 2016-37 Font vulnerabilities in the Graphite 2 library
- 2016-36 Use-after-free during processing of DER encoded keys in NSS
- 2016-35 Buffer overflow during ASN.1 decoding in NSS
- 2016-34 Out-of-bounds read in HTML parser following a failed allocation
- 2016-33 Use-after-free in GetStaticInstance in WebRTC
- 2016-32 WebRTC and LibVPX vulnerabilities found through code inspection
- 2016-31 Memory corruption with malicious NPAPI plugin
- 2016-30 Buffer overflow in Brotli decompression
- 2016-29 Same-origin policy violation using performance.getEntries and history navigation with session restore
- 2016-28 Addressbar spoofing though history navigation and Location protocol property
- 2016-27 Use-after-free during XML transformations
- 2016-26 Memory corruption when modifying a file being read by FileReader
- 2016-25 Use-after-free when using multiple WebRTC data channels
- 2016-24 Use-after-free in SetBody
- 2016-23 Use-after-free in HTML5 string parser
- 2016-22 Service Worker Manager out-of-bounds read in Service Worker Manager
- 2016-21 Displayed page address can be overridden
- 2016-20 Memory leak in libstagefright when deleting an array during MP4 processing
- 2016-19 Linux video memory DOS with Intel drivers
- 2016-18 CSP reports fail to strip location information for embedded iframe pages
- 2016-17 Local file overwriting and potential privilege escalation through CSP reports
- 2016-16 Miscellaneous memory safety hazards (rv:45.0 / rv:38.7)
# Fixed in Firefox 44.0.2
# Fixed in Firefox 44
- 2016-15 Use-after-free in NSS during SSL connections in low memory
- 2016-12 Lightweight themes on Firefox for Android do not verify a secure connection
- 2016-11 Application Reputation service disabled in Firefox 43
- 2016-10 Unsafe memory manipulation found through code inspection
- 2016-09 Addressbar spoofing attacks
- 2016-08 Delay following click events in file download dialog too short on OS X
- 2016-07 Errors in mp_div and mp_exptmod cryptographic functions in NSS
- 2016-06 Missing delay following user click events in protocol handler dialog
- 2016-05 Addressbar spoofing through stored data url shortcuts on Firefox for Android
- 2016-04 Firefox allows for control characters to be set in cookie names
- 2016-03 Buffer overflow in WebGL after out of memory allocation
- 2016-02 Out of Memory crash when parsing GIF format images
- 2016-01 Miscellaneous memory safety hazards (rv:44.0 / rv:38.6)
# Fixed in Firefox 43.0.2
# Fixed in Firefox 43
- 2015-149 Cross-site reading attack through data and view-source URIs
- 2015-148 Privilege escalation vulnerabilities in WebExtension APIs
- 2015-147 Integer underflow and buffer overflow processing MP4 metadata in libstagefright
- 2015-146 Integer overflow in MP4 playback in 64-bit versions
- 2015-145 Underflow through code inspection
- 2015-144 Buffer overflows found through code inspection
- 2015-143 Linux file chooser crashes on malformed images due to flaws in Jasper library
- 2015-142 DOS due to malformed frames in HTTP/2
- 2015-141 Hash in data URI is incorrectly parsed
- 2015-140 Cross-origin information leak through web workers error events
- 2015-139 Integer overflow allocating extremely large textures
- 2015-138 Use-after-free in WebRTC when datachannel is used after being destroyed
- 2015-137 Firefox allows for control characters to be set in cookies
- 2015-136 Same-origin policy violation using performance.getEntries and history navigation
- 2015-135 Crash with JavaScript variable assignment with unboxed objects
- 2015-134 Miscellaneous memory safety hazards (rv:43.0 / rv:38.5)
# Fixed in Firefox 42
- 2015-133 NSS and NSPR memory corruption issues
- 2015-132 Mixed content WebSocket policy bypass through workers
- 2015-131 Vulnerabilities found through code inspection
- 2015-130 JavaScript garbage collection crash with Java applet
- 2015-129 Certain escaped characters in host of Location-header are being treated as non-escaped
- 2015-128 Memory corruption in libjar through zip files
- 2015-127 CORS preflight is bypassed when non-standard Content-Type headers are received
- 2015-126 Crash when accessing HTML tables with accessibility tools on OS X
- 2015-125 XSS attack through intents on Firefox for Android
- 2015-124 Android intents can be used on Firefox for Android to open privileged files
- 2015-123 Buffer overflow during image interactions in canvas
- 2015-122 Trailing whitespace in IP address hostnames can bypass same-origin policy
- 2015-121 Disabling scripts in Add-on SDK panels has no effect
- 2015-120 Reading sensitive profile files through local HTML file on Android
- 2015-119 Firefox for Android addressbar can be removed after fullscreen mode
- 2015-118 CSP bypass due to permissive Reader mode whitelist
- 2015-117 Information disclosure through NTLM authentication
- 2015-116 Miscellaneous memory safety hazards (rv:42.0 / rv:38.4)
# Fixed in Firefox 41.0.2
# Fixed in Firefox 41
- 2015-114 Information disclosure via the High Resolution Time API
- 2015-113 Memory safety errors in libGLES in the ANGLE graphics library
- 2015-112 Vulnerabilities found through code inspection
- 2015-111 Errors in the handling of CORS preflight request headers
- 2015-110 Dragging and dropping images exposes final URL after redirects
- 2015-109 JavaScript immutable property enforcement can be bypassed
- 2015-108 Scripted proxies can access inner window
- 2015-107 Out-of-bounds read during 2D canvas display on Linux 16-bit color depth systems
- 2015-106 Use-after-free while manipulating HTML media content
- 2015-105 Buffer overflow while decoding WebM video
- 2015-104 Use-after-free with shared workers and IndexedDB
- 2015-103 URL spoofing in reader mode
- 2015-102 Crash when using debugger with SavedStacks in JavaScript
- 2015-101 Buffer overflow in libvpx while parsing vp9 format video
- 2015-100 Arbitrary file manipulation by local user through Mozilla updater
- 2015-99 Site attribute spoofing on Android by pasting URL with unknown scheme
- 2015-98 Out of bounds read in QCMS library with ICC V4 profile attributes
- 2015-97 Memory leak in mozTCPSocket to servers
- 2015-96 Miscellaneous memory safety hazards (rv:41.0 / rv:38.3)
# Fixed in Firefox 40.0.3
- 2015-95 Add-on notification bypass through data URLs
- 2015-94 Use-after-free when resizing canvas element during restyling
# Fixed in Firefox 40
- 2015-92 Use-after-free in XMLHttpRequest with shared workers
- 2015-91 Mozilla Content Security Policy allows for asterisk wildcards in violation of CSP specification
- 2015-90 Vulnerabilities found through code inspection
- 2015-89 Buffer overflows on Libvpx when decoding WebM video
- 2015-88 Heap overflow in gdk-pixbuf when scaling bitmap images
- 2015-87 Crash when using shared memory in JavaScript
- 2015-86 Feed protocol with POST bypasses mixed content protections
- 2015-85 Out-of-bounds write with Updater and malicious MAR file
- 2015-84 Arbitrary file overwriting through Mozilla Maintenance Service with hard links
- 2015-83 Overflow issues in libstagefright
- 2015-82 Redefinition of non-configurable JavaScript object properties
- 2015-81 Use-after-free in MediaStream playback
- 2015-80 Out-of-bounds read with malformed MP3 file
- 2015-79 Miscellaneous memory safety hazards (rv:40.0 / rv:38.2)
# Fixed in Firefox 39.0.3
# Fixed in Firefox 39
- 2015-71 NSS incorrectly permits skipping of ServerKeyExchange
- 2015-70 NSS accepts export-length DHE keys with regular DHE cipher suites
- 2015-69 Privilege escalation through internal workers
- 2015-68 OS X crash reports may contain entered key press information
- 2015-67 Key pinning is ignored when overridable errors are encountered
- 2015-66 Vulnerabilities found through code inspection
- 2015-65 Use-after-free in workers while using XMLHttpRequest
- 2015-64 ECDSA signature validation fails to handle some signatures correctly
- 2015-63 Use-after-free in Content Policy due to microtask execution error
- 2015-62 Out-of-bound read while computing an oscillator rendering range in Web Audio
- 2015-61 Type confusion in Indexed Database Manager
- 2015-60 Local files or privileged URLs in pages can be opened into new tabs
- 2015-59 Miscellaneous memory safety hazards (rv:39.0 / rv:31.8 / rv:38.1)
# Fixed in Firefox 38
- 2015-93 Integer overflows in libstagefright while processing MP4 video metadata
- 2015-58 Mozilla Windows updater can be run outside of application directory
- 2015-57 Privilege escalation through IPC channel messages
- 2015-56 Untrusted site hosting trusted page can intercept webchannel responses
- 2015-55 Buffer overflow and out-of-bounds read while parsing MP4 video metadata
- 2015-54 Buffer overflow when parsing compressed XML
- 2015-53 Use-after-free due to Media Decoder Thread creation during shutdown
- 2015-52 Sensitive URL encoded information written to Android logcat
- 2015-51 Use-after-free during text processing with vertical text enabled
- 2015-50 Out-of-bounds read and write in asm.js validation
- 2015-49 Referrer policy ignored when links opened by middle-click and context menu
- 2015-48 Buffer overflow with SVG content and CSS
- 2015-47 Buffer overflow parsing H.264 video with Linux Gstreamer
- 2015-46 Miscellaneous memory safety hazards (rv:38.0 / rv:31.7)
# Fixed in Firefox 37.0.2
# Fixed in Firefox 37.0.1
- 2015-44 Certificate verification bypass through the HTTP/2 Alt-Svc header
- 2015-43 Loading privileged content through Reader mode
# Fixed in Firefox 37
- 2015-42 Windows can retain access to privileged content on navigation to unprivileged pages
- 2015-41 PRNG weakness allows for DNS poisoning on Android
- 2015-40 Same-origin bypass through anchor navigation
- 2015-39 Use-after-free due to type confusion flaws
- 2015-38 Memory corruption crashes in Off Main Thread Compositing
- 2015-37 CORS requests should not follow 30x redirections after preflight
- 2015-36 Incorrect memory management for simple-type arrays in WebRTC
- 2015-35 Cursor clickjacking with flash and images
- 2015-34 Out of bounds read in QCMS library
- 2015-33 resource:// documents can load privileged pages
- 2015-32 Add-on lightweight theme installation approval bypassed through MITM attack
- 2015-31 Use-after-free when using the Fluendo MP3 GStreamer plugin
- 2015-30 Miscellaneous memory safety hazards (rv:37.0 / rv:31.6)
# Fixed in Firefox 36.0.4
# Fixed in Firefox 36.0.3
# Fixed in Firefox 36
- 2015-27 Caja Compiler JavaScript sandbox bypass
- 2015-26 UI Tour whitelisted sites in background tab can spoof foreground tabs
- 2015-25 Local files or privileged URLs in pages can be opened into new tabs
- 2015-24 Reading of local files through manipulation of form autocomplete
- 2015-23 Use-after-free in Developer Console date with OpenType Sanitiser
- 2015-22 Crash using DrawTarget in Cairo graphics library
- 2015-21 Buffer underflow during MP3 playback
- 2015-20 Buffer overflow during CSS restyling
- 2015-19 Out-of-bounds read and write while rendering SVG content
- 2015-18 Double-free when using non-default memory allocators with a zero-length XHR
- 2015-17 Buffer overflow in libstagefright during MP4 video playback
- 2015-16 Use-after-free in IndexedDB
- 2015-15 TLS TURN and STUN connections silently fail to simple TCP connections
- 2015-14 Malicious WebGL content crash when writing strings
- 2015-13 Appended period to hostnames can bypass HPKP and HSTS protections
- 2015-12 Invoking Mozilla updater will load locally stored DLL files
- 2015-11 Miscellaneous memory safety hazards (rv:36.0 / rv:31.5)
# Fixed in Firefox 35
- 2015-10 Update OpenH264 plugin to version 1.3
- 2015-09 XrayWrapper bypass through DOM objects
- 2015-08 Delegated OCSP responder certificates failure with id-pkix-ocsp-nocheck extension
- 2015-07 Gecko Media Plugin sandbox escape
- 2015-06 Read-after-free in WebRTC
- 2015-05 Read of uninitialized memory in Web Audio
- 2015-04 Cookie injection through Proxy Authenticate responses
- 2015-03 sendBeacon requests lack an Origin header
- 2015-02 Uninitialized memory use during bitmap rendering
- 2015-01 Miscellaneous memory safety hazards (rv:35.0 / rv:31.4)
# Fixed in Firefox 34
- 2015-10 Update OpenH264 plugin to version 1.3
- 2014-91 Privileged access to security wrapped protected objects
- 2014-90 Apple CoreGraphics framework on OS X 10.10 logging input data to /tmp directory
- 2014-89 Bad casting from the BasicThebesLayer to BasicContainerLayer
- 2014-88 Buffer overflow while parsing media content
- 2014-87 Use-after-free during HTML5 parsing
- 2014-86 CSP leaks redirect data via violation reports
- 2014-85 XMLHttpRequest crashes with some input streams
- 2014-84 XBL bindings accessible via improper CSS declarations
- 2014-83 Miscellaneous memory safety hazards (rv:34.0 / rv:31.3)
# Fixed in Firefox 33
- 2014-82 Accessing cross-origin objects via the Alarms API
- 2014-81 Inconsistent video sharing within iframe
- 2014-80 Key pinning bypasses
- 2014-79 Use-after-free interacting with text directionality
- 2014-78 Further uninitialized memory use during GIF rendering
- 2014-77 Out-of-bounds write with WebM video
- 2014-76 Web Audio memory corruption issues with custom waveforms
- 2014-75 Buffer overflow during CSS manipulation
- 2014-74 Miscellaneous memory safety hazards (rv:33.0 / rv:31.2)
# Fixed in Firefox 32.0.3
# Fixed in Firefox 32
- 2014-72 Use-after-free setting text directionality
- 2014-71 Profile directory file access through file: protocol
- 2014-70 Out-of-bounds read in Web Audio audio timeline
- 2014-69 Uninitialized memory use during GIF rendering
- 2014-68 Use-after-free during DOM interactions with SVG
- 2014-67 Miscellaneous memory safety hazards (rv:32.0 / rv:31.1 / rv:24.8)
# Fixed in Firefox 31.1
# Fixed in Firefox 31
- 2014-66 IFRAME sandbox same-origin access through redirect
- 2014-65 Certificate parsing broken by non-standard character encoding
- 2014-64 Crash in Skia library when scaling high quality images
- 2014-63 Use-after-free while when manipulating certificates in the trusted cache
- 2014-62 Exploitable WebGL crash with Cesium JavaScript library
- 2014-61 Use-after-free with FireOnStateChange event
- 2014-60 Toolbar dialog customization event spoofing
- 2014-59 Use-after-free in DirectWrite font handling
- 2014-58 Use-after-free in Web Audio due to incorrect control message ordering
- 2014-57 Buffer overflow during Web Audio buffering for playback
- 2014-56 Miscellaneous memory safety hazards (rv:31.0 / rv:24.7)
# Fixed in Firefox 30
- 2014-54 Buffer overflow in Gamepad API
- 2014-53 Buffer overflow in Web Audio Speex resampler
- 2014-52 Use-after-free with SMIL Animation Controller
- 2014-51 Use-after-free in Event Listener Manager
- 2014-50 Clickjacking through cursor invisibility after Flash interaction
- 2014-49 Use-after-free and out of bounds issues found using Address Sanitizer
- 2014-48 Miscellaneous memory safety hazards (rv:30.0 / rv:24.6)
# Fixed in Firefox 29
- 2014-47 Debugger can bypass XrayWrappers with JavaScript
- 2014-46 Use-after-free in nsHostResolver
- 2014-45 Incorrect IDNA domain name matching for wildcard certificates
- 2014-44 Use-after-free in imgLoader while resizing images
- 2014-43 Cross-site scripting (XSS) using history navigations
- 2014-42 Privilege escalation through Web Notification API
- 2014-41 Out-of-bounds write in Cairo
- 2014-40 Firefox for Android addressbar suppression
- 2014-39 Use-after-free in the Text Track Manager for HTML video
- 2014-38 Buffer overflow when using non-XBL object as XBL
- 2014-37 Out of bounds read while decoding JPG images
- 2014-36 Web Audio memory corruption issues
- 2014-35 Privilege escalation through Mozilla Maintenance Service Installer
- 2014-34 Miscellaneous memory safety hazards (rv:29.0 / rv:24.5)
# Fixed in Firefox 28.0.1
# Fixed in Firefox 28
- 2014-32 Out-of-bounds write through TypedArrayObject after neutering
- 2014-31 Out-of-bounds read/write through neutering ArrayBuffer objects
- 2014-30 Use-after-free in TypeObject
- 2014-29 Privilege escalation using WebIDL-implemented APIs
- 2014-28 SVG filters information disclosure through feDisplacementMap
- 2014-27 Memory corruption in Cairo during PDF font rendering
- 2014-26 Information disclosure through polygon rendering in MathML
- 2014-24 Android Crash Reporter open to manipulation
- 2014-23 Content Security Policy for data: documents not preserved by session restore
- 2014-22 WebGL content injection from one domain to rendering in another
- 2014-21 Local file access via Open Link in new tab
- 2014-20 onbeforeunload and Javascript navigation DOS
- 2014-19 Spoofing attack on WebRTC permission prompt
- 2014-18 crypto.generateCRMFRequest does not validate type of key
- 2014-17 Out of bounds read during WAV file decoding
- 2014-16 Files extracted during updates are not always read only
- 2014-15 Miscellaneous memory safety hazards (rv:28.0 / rv:24.4)
# Fixed in Firefox 27
- 2014-13 Inconsistent JavaScript handling of access to Window objects
- 2014-12 NSS ticket handling issues
- 2014-11 Crash when using web workers with asm.js
- 2014-10 Firefox default start page UI content invokable by script
- 2014-09 Cross-origin information leak through web workers
- 2014-08 Use-after-free with imgRequestProxy and image proccessing
- 2014-07 XSLT stylesheets treated as styles in Content Security Policy
- 2014-06 Profile path leaks to Android system log
- 2014-05 Information disclosure with *FromPoint on iframes
- 2014-04 Incorrect use of discarded images by RasterImage
- 2014-03 UI selection timeout missing on download prompts
- 2014-02 Clone protected content with XBL scopes
- 2014-01 Miscellaneous memory safety hazards (rv:27.0 / rv:24.3)
# Fixed in Firefox 26
- 2013-117 Mis-issued ANSSI/DCSSI certificate
- 2013-116 JPEG information leak
- 2013-115 GetElementIC typed array stubs can be generated outside observed typesets
- 2013-114 Use-after-free in synthetic mouse movement
- 2013-113 Trust settings for built-in roots ignored during EV certificate validation
- 2013-112 Linux clipboard information disclosure though selection paste
- 2013-111 Segmentation violation when replacing ordered list elements
- 2013-110 Potential overflow in JavaScript binary search algorithms
- 2013-109 Use-after-free during Table Editing
- 2013-108 Use-after-free in event listeners
- 2013-107 Sandbox restrictions not applied to nested object elements
- 2013-106 Character encoding cross-origin XSS attack
- 2013-105 Application Installation doorhanger persists on navigation
- 2013-104 Miscellaneous memory safety hazards (rv:26.0 / rv:24.2)
# Fixed in Firefox 25.0.1
# Fixed in Firefox 25
- 2013-102 Use-after-free in HTML document templates
- 2013-101 Memory corruption in workers
- 2013-100 Miscellaneous use-after-free issues found through ASAN fuzzing
- 2013-99 Security bypass of PDF.js checks using iframes
- 2013-98 Use-after-free when updating offline cache
- 2013-97 Writing to cycle collected object during image decoding
- 2013-96 Improperly initialized memory and overflows in some JavaScript functions
- 2013-95 Access violation with XSLT and uninitialized data
- 2013-94 Spoofing addressbar though SELECT element
- 2013-93 Miscellaneous memory safety hazards (rv:25.0 / rv:24.1 / rv:17.0.10)
# Fixed in Firefox 24
- 2013-92 GC hazard with default compartments and frame chain restoration
- 2013-91 User-defined properties on DOM proxies get the wrong "this" object
- 2013-90 Memory corruption involving scrolling
- 2013-89 Buffer overflow with multi-column, lists, and floats
- 2013-88 Compartment mismatch re-attaching XBL-backed nodes
- 2013-87 Shared object library loading from writable location
- 2013-86 WebGL Information disclosure through OS X NVIDIA graphic drivers
- 2013-85 Uninitialized data in IonMonkey
- 2013-84 Same-origin bypass through symbolic links
- 2013-83 Mozilla Updater does not lock MAR file after signature verification
- 2013-82 Calling scope for new Javascript objects can lead to memory corruption
- 2013-81 Use-after-free with select element
- 2013-80 NativeKey continues handling key messages after widget is destroyed
- 2013-79 Use-after-free in Animation Manager during stylesheet cloning
- 2013-78 Integer overflow in ANGLE library
- 2013-77 Improper state in HTML5 Tree Builder with templates
- 2013-76 Miscellaneous memory safety hazards (rv:24.0 / rv:17.0.9)
# Fixed in Firefox 23
- 2013-75 Local Java applets may read contents of local file system
- 2013-74 Firefox full and stub installer DLL hijacking
- 2013-73 Same-origin bypass with web workers and XMLHttpRequest
- 2013-72 Wrong principal used for validating URI for some Javascript components
- 2013-71 Further Privilege escalation through Mozilla Updater
- 2013-70 Bypass of XrayWrappers using XBL Scopes
- 2013-69 CRMF requests allow for code execution and XSS attacks
- 2013-68 Document URI misrepresentation and masquerading
- 2013-67 Crash during WAV audio file decoding
- 2013-66 Buffer overflow in Mozilla Maintenance Service and Mozilla Updater
- 2013-65 Buffer underflow when generating CRMF requests
- 2013-64 Use after free mutating DOM during SetBody
- 2013-63 Miscellaneous memory safety hazards (rv:23.0 / rv:17.0.8)
# Fixed in Firefox 22
- 2013-62 Inaccessible updater can lead to local privilege escalation
- 2013-61 Homograph domain spoofing in .com, .net and .name
- 2013-60 getUserMedia permission dialog incorrectly displays location
- 2013-59 XrayWrappers can be bypassed to run user defined methods in a privileged context
- 2013-58 X-Frame-Options ignored when using server push with multi-part responses
- 2013-57 Sandbox restrictions not applied to nested frame elements
- 2013-56 PreserveWrapper has inconsistent behavior
- 2013-55 SVG filters can lead to information disclosure
- 2013-54 Data in the body of XHR HEAD requests leads to CSRF attacks
- 2013-53 Execution of unmapped memory through onreadystatechange event
- 2013-52 Arbitrary code execution within Profiler
- 2013-51 Privileged content access and execution via XBL
- 2013-50 Memory corruption found using Address Sanitizer
- 2013-49 Miscellaneous memory safety hazards (rv:22.0 / rv:17.0.7)
# Fixed in Firefox 21
- 2013-48 Memory corruption found using Address Sanitizer
- 2013-47 Uninitialized functions in DOMSVGZoomEvent
- 2013-46 Use-after-free with video and onresize event
- 2013-45 Mozilla Updater fails to update some Windows Registry entries
- 2013-44 Local privilege escalation through Mozilla Maintenance Service
- 2013-43 File input control has access to full path
- 2013-42 Privileged access for content level constructor
- 2013-41 Miscellaneous memory safety hazards (rv:21.0 / rv:17.0.6)
# Fixed in Firefox 20
- 2013-40 Out-of-bounds array read in CERT_DecodeCertPackage
- 2013-39 Memory corruption while rendering grayscale PNG images
- 2013-38 Cross-site scripting (XSS) using timed history navigations
- 2013-37 Bypass of tab-modal dialog origin disclosure
- 2013-36 Bypass of SOW protections allows cloning of protected nodes
- 2013-35 WebGL crash with Mesa graphics driver on Linux
- 2013-34 Privilege escalation through Mozilla Updater
- 2013-33 World read and write access to app_tmp directory on Android
- 2013-32 Privilege escalation through Mozilla Maintenance Service
- 2013-31 Out-of-bounds write in Cairo library
- 2013-30 Miscellaneous memory safety hazards (rv:20.0 / rv:17.0.5)
# Fixed in Firefox 19.0.2
# Fixed in Firefox 19
- 2013-28 Use-after-free, out of bounds read, and buffer overflow issues found using Address Sanitizer
- 2013-27 Phishing on HTTPS connection through malicious proxy
- 2013-26 Use-after-free in nsImageLoadingContent
- 2013-25 Privacy leak in JavaScript Workers
- 2013-24 Web content bypass of COW and SOW security wrappers
- 2013-23 Wrapped WebIDL objects can be wrapped again
- 2013-22 Out-of-bounds read in image rendering
- 2013-21 Miscellaneous memory safety hazards (rv:19.0 / rv:17.0.3)
# Fixed in Firefox 18
- 2013-20 Mis-issued TURKTRUST certificates
- 2013-19 Use-after-free in Javascript Proxy objects
- 2013-18 Use-after-free in Vibrate
- 2013-17 Use-after-free in ListenerManager
- 2013-16 Use-after-free in serializeToStream
- 2013-15 Privilege escalation through plugin objects
- 2013-14 Chrome Object Wrapper (COW) bypass through changing prototype
- 2013-13 Memory corruption in XBL with XML bindings containing SVG
- 2013-12 Buffer overflow in Javascript string concatenation
- 2013-11 Address space layout leaked in XBL objects
- 2013-10 Event manipulation in plugin handler to bypass same-origin policy
- 2013-09 Compartment mismatch with quickstubs returned values
- 2013-08 AutoWrapperChanger fails to keep objects alive during garbage collection
- 2013-07 Crash due to handling of SSL on threads
- 2013-06 Touch events are shared across iframes
- 2013-05 Use-after-free when displaying table with many columns and column groups
- 2013-04 URL spoofing in addressbar during page loads
- 2013-03 Buffer Overflow in Canvas
- 2013-02 Use-after-free and buffer overflow issues found using Address Sanitizer
- 2013-01 Miscellaneous memory safety hazards (rv:18.0/ rv:10.0.12 / rv:17.0.2)
- 2012-98 Firefox installer DLL hijacking
# Fixed in Firefox 17.0.9
# Fixed in Firefox 17
- 2012-106 Use-after-free, buffer overflow, and memory corruption issues found using Address Sanitizer
- 2012-105 Use-after-free and buffer overflow issues found using Address Sanitizer
- 2012-104 CSS and HTML injection through Style Inspector
- 2012-103 Frames can shadow top.location
- 2012-102 Script entered into Developer Toolbar runs with chrome privileges
- 2012-101 Improper character decoding in HZ-GB-2312 charset
- 2012-100 Improper security filtering for cross-origin wrappers
- 2012-99 XrayWrappers exposes chrome-only properties when not in chrome compartment
- 2012-98 Firefox installer DLL hijacking
- 2012-97 XMLHttpRequest inherits incorrect principal within sandbox
- 2012-96 Memory corruption in str_unescape
- 2012-95 Javascript: URLs run in privileged context on New Tab page
- 2012-94 Crash when combining SVG text on path with CSS
- 2012-93 evalInSanbox location context incorrectly applied
- 2012-92 Buffer overflow while rendering GIF images
- 2012-91 Miscellaneous memory safety hazards (rv:17.0/ rv:10.0.11)
# Fixed in Firefox 16.0.2
# Fixed in Firefox 16.0.1
- 2012-89 defaultValue security checks not applied
- 2012-88 Miscellaneous memory safety hazards (rv:16.0.1)
# Fixed in Firefox 16
- 2012-87 Use-after-free in the IME State Manager
- 2012-86 Heap memory corruption issues found using Address Sanitizer
- 2012-85 Use-after-free, buffer overflow, and out of bounds read issues found using Address Sanitizer
- 2012-84 Spoofing and script injection through location.hash
- 2012-83 Chrome Object Wrapper (COW) does not disallow access to privileged functions or properties
- 2012-82 top object and location property accessible by plugins
- 2012-81 GetProperty function can bypass security checks
- 2012-80 Crash with invalid cast when using instanceof operator
- 2012-79 DOS and crash with full screen and history navigation
- 2012-78 Reader Mode pages have chrome privileges
- 2012-77 Some DOMWindowUtils methods bypass security checks
- 2012-76 Continued access to initial origin after setting document.domain
- 2012-75 select element persistance allows for attacks
- 2012-74 Miscellaneous memory safety hazards (rv:16.0/ rv:10.0.8)
# Fixed in Firefox 15
- 2012-73 SPDY information disclosure
- 2012-72 Web console eval capable of executing chrome-privileged code
- 2012-71 Insecure use of __android_log_print
- 2012-70 Location object security checks bypassed by chrome code
- 2012-69 Incorrect site SSL certificate data display
- 2012-68 DOMParser loads linked resources in extensions when parsing text/html
- 2012-67 Installer will launch incorrect executable following new installation
- 2012-66 HTTPMonitor extension allows for remote debugging without explicit activation
- 2012-65 Out-of-bounds read in format-number in XSLT
- 2012-64 Graphite 2 memory corruption
- 2012-63 SVG buffer overflow and use-after-free issues
- 2012-62 WebGL use-after-free and memory corruption
- 2012-61 Memory corruption with bitmap format images with negative height
- 2012-60 Escalation of privilege through about:newtab
- 2012-59 Location object can be shadowed using Object.defineProperty
- 2012-58 Use-after-free issues found using Address Sanitizer
- 2012-57 Miscellaneous memory safety hazards (rv:15.0/ rv:10.0.7)
# Fixed in Firefox 14
- 2012-56 Code execution through javascript: URLs
- 2012-55 feed: URLs with an innerURI inherit security context of page
- 2012-53 Content Security Policy 1.0 implementation errors cause data leakage
- 2012-52 JSDependentString::undepend string conversion results in memory corruption
- 2012-51 X-Frame-Options header ignored when duplicated
- 2012-50 Out of bounds read in QCMS
- 2012-49 Same-compartment Security Wrappers can be bypassed
- 2012-48 use-after-free in nsGlobalWindow::PageHidden
- 2012-47 Improper filtering of javascript in HTML feed-view
- 2012-46 XSS through data: URLs
- 2012-45 Spoofing issue with location
- 2012-44 Gecko memory corruption
- 2012-43 Incorrect URL displayed in addressbar through drag and drop
- 2012-42 Miscellaneous memory safety hazards (rv:14.0/ rv:10.0.6)
# Fixed in Firefox 13
- 2012-54 Clickjacking of certificate warning page
- 2012-40 Buffer overflow and use-after-free issues found using Address Sanitizer
- 2012-39 NSS parsing errors with zero length items
- 2012-38 Use-after-free while replacing/inserting a node in a document
- 2012-37 Information disclosure though Windows file shares and shortcut files
- 2012-36 Content Security Policy inline-script bypass
- 2012-35 Privilege escalation through Mozilla Updater and Windows Updater Service
- 2012-34 Miscellaneous memory safety hazards (rv:13.0/ rv:10.0.5)
# Fixed in Firefox 12
- 2012-33 Potential site identity spoofing when loading RSS and Atom feeds
- 2012-32 HTTP Redirections and remote content can be read by javascript errors
- 2012-31 Off-by-one error in OpenType Sanitizer
- 2012-30 Crash with WebGL content using textImage2D
- 2012-29 Potential XSS through ISO-2022-KR/ISO-2022-CN decoding issues
- 2012-28 Ambiguous IPv6 in Origin headers may bypass webserver access restrictions
- 2012-27 Page load short-circuit can lead to XSS
- 2012-26 WebGL.drawElements may read illegal video memory due to FindMaxUshortElement error
- 2012-25 Potential memory corruption during font rendering using cairo-dwrite
- 2012-24 Potential XSS via multibyte content processing errors
- 2012-23 Invalid frees causes heap corruption in gfxImageSurface
- 2012-22 use-after-free in IDBKeyRange
- 2012-20 Miscellaneous memory safety hazards (rv:12.0/ rv:10.0.4)
# Fixed in Firefox 11
- 2012-19 Miscellaneous memory safety hazards (rv:11.0/ rv:10.0.3 / rv:1.9.2.28)
- 2012-18 window.fullScreen writeable by untrusted content
- 2012-17 Crash when accessing keyframe cssText after dynamic modification
- 2012-16 Escalation of privilege with Javascript: URL as home page
- 2012-15 XSS with multiple Content Security Policy headers
- 2012-14 SVG issues found with Address Sanitizer
- 2012-13 XSS with Drag and Drop and Javascript: URL
- 2012-12 Use-after-free in shlwapi.dll
# Fixed in Firefox 10.0.2
# Fixed in Firefox 10.0.1
# Fixed in Firefox 10
- 2012-09 Firefox Recovery Key.html is saved with unsafe permission
- 2012-08 Crash with malformed embedded XSLT stylesheets
- 2012-07 Potential Memory Corruption When Decoding Ogg Vorbis files
- 2012-06 Uninitialized memory appended when encoding icon images may cause information disclosure
- 2012-05 Frame scripts calling into untrusted objects bypass security checks
- 2012-04 Child nodes from nsDOMAttribute still accessible after removal of nodes
- 2012-03 <iframe> element exposed across domains via name attribute
- 2012-01 Miscellaneous memory safety hazards (rv:10.0/ 1.9.2.26)
# Fixed in Firefox 9
- 2012-41 Use-after-free in nsHTMLSelectElement
- 2011-58 Crash scaling <video> to extreme sizes
- 2011-57 Crash when plugin removes itself on Mac OS X
- 2011-56 Key detection without JavaScript via SVG animation
- 2011-55 nsSVGValue out-of-bounds access
- 2011-54 Potentially exploitable crash in the YARR regular expression library
- 2011-53 Miscellaneous memory safety hazards (rv:9.0)
# Fixed in Firefox 8
- 2011-52 Code execution via NoWaiverWrapper
- 2011-51 Cross-origin image theft on Mac with integrated Intel GPU
- 2011-50 Cross-origin data theft using canvas and Windows D2D
- 2011-49 Memory corruption while profiling using Firebug
- 2011-48 Miscellaneous memory safety hazards (rv:8.0)
- 2011-47 Potential XSS against sites using Shift-JIS
# Fixed in Firefox 7
- 2012-02 Overly permissive IPv6 literal syntax
- 2011-45 Inferring keystrokes from motion data
- 2011-44 Use after free reading OGG headers
- 2011-43 loadSubScript unwraps XPCNativeWrapper scope parameter
- 2011-42 Potentially exploitable crash in the YARR regular expression library
- 2011-41 Potentially exploitable WebGL crashes
- 2011-40 Code installation through holding down Enter
- 2011-39 Defense against multiple Location headers due to CRLF Injection
- 2011-36 Miscellaneous memory safety hazards (rv:7.0 / rv:1.9.2.23)
# Fixed in Firefox 6.0.2
# Fixed in Firefox 6.0.1
# Fixed in Firefox 6
- 2011-38 XSS via plugins and shadowed window.location object
- 2011-29 Security issues addressed in Firefox 6
# Fixed in Firefox 5
- 2011-28 Non-whitelisted site can trigger xpinstall
- 2011-27 XSS encoding hazard with inline SVG
- 2011-26 Multiple WebGL crashes
- 2011-25 Stealing of cross-domain images using WebGL textures
- 2011-22 Integer overflow and arbitrary code execution in Array.reduceRight()
- 2011-21 Memory corruption due to multipart/x-mixed-replace images
- 2011-20 Use-after-free vulnerability when viewing XUL document with script disabled
- 2011-19 Miscellaneous memory safety hazards (rv:3.0/1.9.2.18)