Mozilla releases security updates for Firefox 94, Firefox ESR 91.3, and Thunderbird 91.3

Mozilla releases security updates for Firefox 94, Firefox ESR 91.3, and Thunderbird 91.3

Hello everyone,

Mozilla has fixed several high severity security vulnerabilities in Firefox 94, Firefox ESR 91.3, and Thunderbird 91.3. The details of the vulnerabilities fixed are as follows:

 Platform
 CVE ID
 Vulnerability
 Impact
Firefox 94, Firefox ESR 91.3, Thunderbird 91.3
 CVE-2021-38503
iframe sandbox rules did not apply to XSLT stylesheets
High
Firefox 94, Firefox ESR 91.3, Thunderbird 91.3
 CVE-2021-38504
Use-after-free in file picker dialog
High
Firefox 94, Firefox ESR 91.3, Thunderbird 91.3
 CVE-2021-38505
Windows 10 Cloud Clipboard may have recorded sensitive user data
High
Firefox 94, Firefox ESR 91.3, Thunderbird 91.3
 CVE-2021-38506
Firefox could be coaxed into going into fullscreen mode without notification or warning
High
Firefox 94, Firefox ESR 91.3, Thunderbird 91.3
 CVE-2021-38507
Opportunistic Encryption in HTTP2 could be used to bypass the Same-Origin-Policy on services hosted on other ports
High
Firefox 94, Firefox ESR 91.3, Thunderbird 91.3
 CVE-2021-38508
Permission Prompt could be overlaid, resulting in user confusion and potential spoofing
Moderate
Firefox 94, Firefox ESR 91.3, Thunderbird 91.3
 CVE-2021-38509
Javascript alert box could have been spoofed onto an arbitrary domain
Moderate
Firefox 94, Firefox ESR 91.3, Thunderbird 91.3
 CVE-2021-38510
Download Protections were bypassed by .inetloc files on Mac OS
Moderate
Firefox 94
 MOZ-2021-0003
Universal XSS in Firefox for Android via QR Code URLs
High
Firefox 94
 MOZ-2021-0004
Web Extensions could access pre-redirect URL when their context menu was triggered by a user
Moderate
Firefox 94
 MOZ-2021-0005
'Copy Image Link' context menu action could have been abused to see authentication tokens
Low
Firefox 94
 MOZ-2021-0006
URL Parsing may incorrectly parse internationalized domains
Low
Firefox 94, Firefox ESR 91.3, Thunderbird 91.3
 MOZ-2021-0007
Memory safety bugs fixed in Firefox 94,  Firefox ESR 91.3, Thunderbird 91.3
High
Firefox ESR 91.3, Thunderbird 91.3
 MOZ-2021-0008
Use-after-free in HTTP2 Session object
High

To patch these vulnerabilities, initiate a sync between the Central Patch Repository and the Desktop Central server. Once synced, search for the following Patch IDs or Bulletin IDs and deploy them to your target systems.

 Patch ID
 Bulletin ID
 Patch Description
 322240
 TU-054
 Mozilla Firefox ESR (91) (x64) (91.3.0)
 322239
 TU-054
 Mozilla Firefox ESR (91) (91.3.0)
 322237
 TU-027
 Mozilla Firefox (94.0)
 322238
 TU-027
 Mozilla Firefox (x64) (94.0)
 322244
 TU-028   
 Mozilla Thunderbird (91) (91.3.0)
 322245
 TU-028   
Mozilla Thunderbird (91) (x64) (91.3.0)

Cheers,

The ManageEngine Team