Mozilla releases security updates for Firefox 95, Firefox ESR 91.4.0, and Thunderbird 91.4.0
Hello everyone,
Mozilla has fixed several high severity security vulnerabilities in Firefox 95, Firefox ESR 91.4.0, and Thunderbird 91.4.0. The details of the vulnerabilities fixed are as follows:| Platform | CVE ID | Vulnerability | Impact |
| Thunderbird 91.4.0 | CVE-2021-43528 | JavaScript unexpectedly enabled for the composition area | Low |
| Firefox 95, Firefox ESR 91.4.0, Thunderbird 91.4.0 | CVE-2021-43536 | URL leakage when navigating while executing asynchronous function | High |
| Firefox 95, Firefox ESR 91.4.0, Thunderbird 91.4.0 | CVE-2021-43537 | Heap buffer overflow when using structured clone | High |
| Firefox 95, Firefox ESR 91.4.0, Thunderbird 91.4.0 | CVE-2021-43538 | Missing fullscreen and pointer lock notification when requesting both | High |
| Firefox 95, Firefox ESR 91.4.0, Thunderbird 91.4.0 | CVE-2021-43539 | GC rooting failure when calling wasm instance methods | High |
| Firefox 95 | CVE-2021-43540 | WebExtensions could have installed persistent ServiceWorkers | Moderate |
| Firefox 95, Firefox ESR 91.4.0, Thunderbird 91.4.0 | CVE-2021-43541 | External protocol handler parameters were unescaped | Moderate |
| Firefox 95, Firefox ESR 91.4.0, Thunderbird 91.4.0 | CVE-2021-43542 | XMLHttpRequest error codes could have leaked the existence of an external protocol handler | Moderate |
| Firefox 95, Firefox ESR 91.4.0, Thunderbird 91.4.0 | CVE-2021-43543 | Bypass of CSP sandbox directive when embedding | Moderate |
| Firefox 95 | CVE-2021-43544 | Universal XSS in Firefox for Android via QR Code URLs | High |
| Firefox 95, Firefox ESR 91.4.0, Thunderbird 91.4.0 | CVE-2021-43545 | Denial of Service when using the Location API in a loop | Low |
| Firefox 95, Firefox ESR 91.4.0, Thunderbird 91.4.0 | CVE-2021-43546 | Cursor spoofing could overlay user interface when native cursor is zoomed | Low |
| Firefox 95, Firefox ESR 91.4.0, Thunderbird 91.4.0 | MOZ-2021-0009 | Memory safety bugs fixed in Firefox 95 and Firefox ESR 91.4, Thunderbird 91.4.0 | High |
| Firefox 95 | MOZ-2021-0010 | Use-after-free in fullscreen objects on MacOS | High |
To patch these vulnerabilities, initiate a sync between the Central Patch Repository and the Vulnerability Manager Plus server. Once synced, search for the following Patch IDs or Bulletin IDs and deploy them to your target systems.
| Patch ID | Bulletin ID | Patch Description |
| 322722 | TU-027 | Mozilla Firefox (95.0) |
| 322723 | TU-027 | Mozilla Firefox (x64) (95.0) |
| 322724 | TU-054 | Mozilla Firefox ESR (91) (91.4.0) |
| 322727 | TU-054 | Mozilla Firefox ESR (91) (x64) (91.4.0) |
| 322726 | TU-028 | Mozilla Thunderbird (91) (x64) (91.4.0) |
| 322725 | TU-028 | Mozilla Thunderbird (91) (91.4.0) |
Cheers,
The ManageEngine Team