Mozilla releases security updates for Firefox 94, Firefox ESR 91.3, and Thunderbird 91.3

Mozilla releases security updates for Firefox 94, Firefox ESR 91.3, and Thunderbird 91.3

Hello everyone,

Mozilla has fixed several high severity security vulnerabilities in Firefox 94, Firefox ESR 91.3, and Thunderbird 91.3. The details of the vulnerabilities fixed are as follows:

 Platform CVE ID Vulnerability Impact
Firefox 94, Firefox ESR 91.3, Thunderbird 91.3 CVE-2021-38503iframe sandbox rules did not apply to XSLT stylesheetsHigh
Firefox 94, Firefox ESR 91.3, Thunderbird 91.3 CVE-2021-38504Use-after-free in file picker dialogHigh
Firefox 94, Firefox ESR 91.3, Thunderbird 91.3 CVE-2021-38505Windows 10 Cloud Clipboard may have recorded sensitive user dataHigh
Firefox 94, Firefox ESR 91.3, Thunderbird 91.3 CVE-2021-38506Firefox could be coaxed into going into fullscreen mode without notification or warningHigh
Firefox 94, Firefox ESR 91.3, Thunderbird 91.3 CVE-2021-38507Opportunistic Encryption in HTTP2 could be used to bypass the Same-Origin-Policy on services hosted on other portsHigh
Firefox 94, Firefox ESR 91.3, Thunderbird 91.3 CVE-2021-38508Permission Prompt could be overlaid, resulting in user confusion and potential spoofingModerate
Firefox 94, Firefox ESR 91.3, Thunderbird 91.3 CVE-2021-38509Javascript alert box could have been spoofed onto an arbitrary domainModerate
Firefox 94, Firefox ESR 91.3, Thunderbird 91.3 CVE-2021-38510Download Protections were bypassed by .inetloc files on Mac OSModerate
Firefox 94 MOZ-2021-0003Universal XSS in Firefox for Android via QR Code URLsHigh
Firefox 94 MOZ-2021-0004Web Extensions could access pre-redirect URL when their context menu was triggered by a userModerate
Firefox 94 MOZ-2021-0005'Copy Image Link' context menu action could have been abused to see authentication tokensLow
Firefox 94 MOZ-2021-0006URL Parsing may incorrectly parse internationalized domainsLow
Firefox 94, Firefox ESR 91.3, Thunderbird 91.3 MOZ-2021-0007Memory safety bugs fixed in Firefox 94,  Firefox ESR 91.3, Thunderbird 91.3High
Firefox ESR 91.3, Thunderbird 91.3 MOZ-2021-0008Use-after-free in HTTP2 Session objectHigh

To patch these vulnerabilities, initiate a sync between the Central Patch Repository and the Patch Manager Plus server. Once synced, search for the following Patch IDs or Bulletin IDs and deploy them to your target systems.

 Patch ID Bulletin ID Patch Description
 322240 TU-054 Mozilla Firefox ESR (91) (x64) (91.3.0)
 322239 TU-054 Mozilla Firefox ESR (91) (91.3.0)
 322237 TU-027 Mozilla Firefox (94.0)
 322238 TU-027 Mozilla Firefox (x64) (94.0)
 322244 TU-028    Mozilla Thunderbird (91) (91.3.0)
 322245 TU-028   Mozilla Thunderbird (91) (x64) (91.3.0)

Cheers,

The ManageEngine Team