Mozilla releases security updates for Firefox 85, Thunderbird 78.7, Firefox ESR 78.7
Hello everyone,
Mozilla has fixed several security vulnerabilities in Firefox 85, Thunderbird 78.7, Firefox ESR 78.7. The details of the vulnerabilities fixed are as follows:
| Platform | CVE ID | Vulnerability | Impact |
| Firefox 85, Thunderbird 78.7, Firefox ESR 78.7 | CVE-2021-23953 | Cross-origin information leakage via redirected PDF requests | High |
| Firefox 85, Thunderbird 78.7, Firefox ESR 78.7 | CVE-2021-23954 | Type confusion when using logical assignment operators in JavaScript switch statements | High |
| Firefox 85 | CVE-2021-23955 | Clickjacking across tabs through misusing requestPointerLock | High |
| Firefox 85 | CVE-2021-23956 | File picker dialog could have been used to disclose a complete directory | Moderate |
| Firefox 85 | CVE-2021-23957 | Iframe sandbox could have been bypassed on Android via the intent URL scheme | Moderate |
| Firefox 85 | CVE-2021-23958 | Screen sharing permission leaked across tabs | Moderate |
| Firefox 85 | CVE-2021-23959 | Cross-Site Scripting in error pages on Firefox for Android | Moderate |
| Firefox 85, Thunderbird 78.7, Firefox ESR 78.7 | CVE-2021-23960 | Use-after-poison for incorrectly redeclared JavaScript variables during GC | Moderate |
| Firefox 85 | CVE-2021-23961 | More internal network hosts could have been probed by a malicious webpage | Moderate |
| Firefox 85 | CVE-2021-23962 | Use-after-poison in <code>nsTreeBodyFrame::RowCountChanged</code> | Low |
| Firefox 85 | CVE-2021-23963 | Permission prompt inaccessible after asking for additional permissions | Low |
| Firefox 85, Thunderbird 78.7, Firefox ESR 78.7 | CVE-2021-23964 | Memory safety bugs fixed in Firefox 85 and Firefox ESR 78.7 | High |
| Firefox 85 | CVE-2021-23965 | Memory safety bugs fixed in Firefox 85 | High |
| Thunderbird 78.7 | CVE-2020-15685 | IMAP Response Injection when using STARTTLS | Moderate |
| Thunderbird 78.7, Firefox ESR 78.7 | CVE-2020-26976 | HTTPS pages could have been intercepted by a registered service worker when they should not have been | Moderate |
To patch these vulnerabilities, initiate a sync between the Central Patch Repository and the Patch Manager Plus server. Once synced, search for the following Patch IDs or Bulletin IDs and deploy them to your target systems.
| Patch ID | Bulletin ID | Patch Description |
| 318090 | TU-027 | Mozilla Firefox (85.0) |
| 318091 | TU-027 | Mozilla Firefox (x64) (85.0) |
| 318094 | TU-028 | Mozilla Thunderbird (78.7.0) |
| 318095 | TU-028 | Mozilla Thunderbird (x64) (78.7.0) |
| 318092 | TU-054 | Mozilla Firefox ESR (78.7.0) |
| 318093 | TU-054 | Mozilla Firefox ESR (x64) (78.7.0) |
Cheers,
The ManageEngine Team