Mozilla fixes several high severity vulnerabilities in Firefox 98, Firefox ESR 91.7 and Thunderbird 91.7

Hey everyone,

Mozilla has released fixes for several high-severity vulnerabilities in Firefox 98, Firefox ESR 91.7 and Thunderbird 91.7. The details of the vulnerabilities fixed can be found below:

CVE ID	Description	Impact
CVE-2022-26383 (Firefox, Firefox ESR and Thunderbird)	Browser window spoof using fullscreen mode	High
CVE-2022-26384 (Firefox, Firefox ESR and Thunderbird)	iframe allow-scripts sandbox bypass	High
CVE-2022-26387 (Firefox, Firefox ESR and Thunderbird)	Time-of-check time-of-use bug when verifying add-on signatures	High
CVE-2022-26381 (Firefox, Firefox ESR and Thunderbird)	Use-after-free in text reflows	High
CVE-2022-26382 (Firefox)	Autofill Text could be exfiltrated via side-channel attacks	Moderate
CVE-2022-26385 (Firefox)	Use-after-free in thread shutdown	Moderate
CVE-2022-0843 (Firefox)	Memory safety bugs fixed in Firefox 98	Moderate
CVE-2022-26386 (Firefox ESR and Thunderbird for macOS and Linux)	Temporary files downloaded to /tmp and accessible by other local users	Low

* Products affected by the bugs are mentioned in brackets.

To install these patches, initiate a sync between the Central Patch Repository and the Desktop Central / Patch Manager Plus / Vulnerability Manager Plus server. Once synced, search for the following Patch IDs or Bulletin IDs and deploy them to your target systems.

Firefox 98

Patch ID	Bulletin ID	Patch Description
323890	TU-027	Mozilla Firefox (x64) (98.0) for Windows
323889	TU-027	Mozilla Firefox (98.0) for Windows
603660	MAC-006	Mozilla Firefox For Mac (98.0)

Firefox ESR 91.7

Patch ID	Bulletin ID	Patch Description
323892	TU-027	Mozilla Firefox ESR (x64) (91.7) for Windows
323891	TU-027	Mozilla Firefox ESR (91.7) for Windows
603661	MAC-111	Mozilla Firefox ESR for MAC 91.7
803108	DSA-5097-1	Mozilla Firefox ESR Security Update (x64) for Linux (Debian)
803109	DSA-5097-1	Mozilla Firefox ESR Security Update for Linux (Debian)