Mozilla releases security updates for Firefox (107.0), Firefox ESR (102.5.0) and Thunderbird (102.5.0)
Hello everyone,
Mozilla has fixed several high severity security vulnerabilities in Firefox (107.0), Firefox ESR (102.5.0) and Thunderbird (102.5.0). The details of the vulnerabilities fixed are as follows:
| Platform | CVE ID | Vulnerability | Impact |
Firefox 107, Firefox ESR 102.5 and Thunderbird 102.5 | CVE-2022-45403 | Service Workers might have learned size of cross-origin media files | High |
Firefox 107, Firefox ESR 102.5 and Thunderbird 102.5 | CVE-2022-45404 | Fullscreen notification bypass | High |
Firefox 107, Firefox ESR 102.5 and Thunderbird 102.5 | CVE-2022-45405 | Use-after-free in InputStream implementation | High |
Firefox 107, Firefox ESR 102.5 and Thunderbird 102.5 | CVE-2022-45406 | Use-after-free of a JavaScript Realm | High |
Firefox 107 | CVE-2022-45407 | Loading fonts on workers was not thread-safe | High |
Firefox 107, Firefox ESR 102.5 and Thunderbird 102.5 | CVE-2022-45408 | Fullscreen notification bypass via windowName | High |
Firefox 107, Firefox ESR 102.5 and Thunderbird 102.5 | CVE-2022-45409 | Use-after-free in Garbage Collection | High |
Firefox 107, Firefox ESR 102.5 and Thunderbird 102.5 | CVE-2022-45410 | ServiceWorker-intercepted requests bypassed SameSite cookie policy | Moderate |
Firefox 107, Firefox ESR 102.5 and Thunderbird 102.5 | CVE-2022-45411 | Cross-Site Tracing was possible via non-standard override headers | Moderate |
Firefox 107, Firefox ESR 102.5 and Thunderbird 102.5 | CVE-2022-45412 | Symlinks may resolve to partially uninitialized buffers | Moderate |
Firefox 107 | CVE-2022-45413 | SameSite=Strict cookies could have been sent cross-site via intent URLs | Moderate |
Firefox 107 | CVE-2022-40674 | Use-after-free vulnerability in expat | Moderate |
Firefox 107 | CVE-2022-45415 | Downloaded file may have been saved with malicious extension | Moderate |
Firefox 107, Firefox ESR 102.5 and Thunderbird 102.5 | CVE-2022-45416 | Keystroke Side-Channel Leakage | Moderate |
Firefox 107 | CVE-2022-45417 | Service Workers in Private Browsing Mode may have been written to disk | Moderate |
Firefox 107, Firefox ESR 102.5 and Thunderbird 102.5 | CVE-2022-45418 | Custom mouse cursor could have been drawn over browser UI | Moderate |
Firefox 107, Firefox ESR 102.5 and Thunderbird 102.5 | CVE-2022-45419 | Deleting a security exception did not take effect immediately | Low |
Firefox 107, Firefox ESR 102.5 and Thunderbird 102.5 | CVE-2022-45420 | Iframe contents could be rendered outside the iframe | Low |
Firefox 107, Firefox ESR 102.5 and Thunderbird 102.5 | CVE-2022-45421 | Memory safety bugs fixed in Firefox 107, Firefox ESR 102.5 and Thunderbird 102.5 | High |
To install this update on your machines, initiate a sync between the Central Patch Repository and the Endpoint Central server. Once the sync is complete, search for the following Patch IDs or Bulletin ID and deploy them to your target systems.
| Patch ID | Bulletin ID | Patch description |
327627 | TU-028 | Mozilla Thunderbird 102 (x64) (102.5.0) |
327626 | TU-028 | Mozilla Thunderbird 102 (102.5.0) |
327616 | TU-027 | Mozilla Firefox (x64) (107.0) |
327615 | TU-027 | Mozilla Firefox (107.0) |
327618 | TU-054 | Mozilla Firefox ESR (102) (x64) (102.5.0) |
327617 | TU-054 | Mozilla Firefox ESR (102) (102.5.0) |
604457 | MAC-007 | Mozilla Thunderbird For Mac (102.5.0) |
604456 | MAC-006 | Mozilla Firefox For Mac (107.0) |
604455 | MAC-111 | Mozilla Firefox ESR for MAC 102.5.0 |
Cheers,
The ManageEngine Team