[The Firefox/Mozilla Thread]

ff v102.0 esr

28. june 2022

New

• • We now provide more secure connections: Firefox can now automatically upgrade to HTTPS using HTTPS RR as Alt-Svc headers.
  • For added viewing pleasure, full-range color levels are now supported for video playback on many systems.
  • Find it easier now! Mac users can now access the macOS share options from the Firefox File menu.
  • Voilà! Support for images containing ICC v4 profiles is enabled on macOS.
  • Firefox now supports the new AVIF image format, which is based on the modern and royalty-free AV1 video codec. It offers significant bandwidth savings for sites compared to existing image formats. It also supports transparency and other advanced features.
  • Firefox PDF viewer now supports filling more forms (e.g., XFA-based forms, used by multiple governments and banks). Learn more.
  • When available system memory is critically low, Firefox on Windows will automatically unload tabs based on their last access time, memory usage, and other attributes. This helps to reduce Firefox out-of-memory crashes. Forgot something? Switching to an unloaded tab automatically reloads it.
  • To prevent session loss for macOS users who are running Firefox from a mounted .dmg file, they’ll now be prompted to finish installation. Bear in mind, this permission prompt only appears the first time these users run Firefox on their computer.
  • For your safety, Firefox now blocks downloads that rely on insecure connections, protecting against potentially malicious or unsafe downloads. Learn more and see where to find downloads in Firefox.
  • Improved web compatibility for privacy protections with SmartBlock 3.0: In Private Browsing and Strict Tracking Protection, Firefox goes to great lengths to protect your web browsing activity from trackers. As part of this, the built-in content blocking will automatically block third-party scripts, images, and other content from being loaded from cross-site tracking companies reported by Disconnect. Learn more.
  • Introducing a new referrer tracking protection in Strict Tracking Protection and Private Browsing. This feature prevents sites from unknowingly leaking private information to trackers. Learn more.
  • Introducing Firefox Suggest, a feature that provides website suggestions as you type into the address bar. Learn more about this faster way to navigate the web and locale-specific features.
  • Firefox macOS now uses Apple's low-power mode for fullscreen video on sites such as YouTube and Twitch. This meaningfully extends battery life in long viewing sessions. Now your kids can find out what the fox says on a loop without you ever missing a beat…
  • With this release, power users can use about:unloads to release system resources by manually unloading tabs without closing them.
  • On Windows, there will now be fewer interruptions because Firefox won’t prompt you for updates. Instead, a background agent will download and install updates even if Firefox is closed.
  • On Linux, we’ve improved WebGL performance and reduced power consumption for many users.
  • To better protect all Firefox users against side-channel attacks, such as Spectre, we introduced Site Isolation.
  • Firefox no longer warns you by default when you exit the browser or close a window using a menu, button, or three-key command. This should cut back on unwelcome notifications, which is always nice—however, if you prefer a bit of notice, you’ll still have full control over the quit/close modal behavior. All warnings can be managed within Firefox Settings. No worries! More details here.
  • Firefox supports the new Snap Layouts menus when running on Windows 11.
  • RLBox—a new technology that hardens Firefox against potential security vulnerabilities in third-party libraries—is now enabled on all platforms.
  • We’ve reduced CPU usage on macOS in Firefox and WindowServer during event processing.
  • We’ve also reduced the power usage of software decoded video on macOS, especially in fullscreen. This includes streaming sites such as Netflix and Amazon Prime Video.
  • You can now move the Picture-in-Picture toggle button to the opposite side of the video. Simply look for the new context menu option Move Picture-in-Picture Toggle to Left (Right) Side.
  • We’ve made significant improvements in noise suppression and auto-gain-control, as well as slight improvements in echo-cancellation to provide you with a better overall experience.
  • We’ve also significantly reduced main-thread load.
  • When printing, you can now choose to print only the odd/even pages.
  • Firefox now supports and displays the new style of scrollbars on Windows 11.
  • Firefox has a new optimized download flow. Instead of prompting every time, files will download automatically. However, they can still be opened from the downloads panel with just one click. Easy! More information
  • Firefox no longer asks what to do for each file by default. You won’t be prompted to choose a helper application or save to disk before downloading a file unless you have changed your download action setting for that type of file.
  • Any files you download will be immediately saved on your disk. Depending on the current configuration, they’ll be saved in your preferred download folder, or you’ll be asked to select a location for each download. Windows and Linux users will find their downloaded files in the destination folder. They’ll no longer be put in the Temp folder.
  • Firefox allows users to choose from a number of built-in search engines to set as their default. In this release, some users who had previously configured a default engine might notice their default search engine has changed since Mozilla was unable to secure formal permission to continue including certain search engines in Firefox.
  • You can now toggle Narrate in ReaderMode with the keyboard shortcut "n."
  • You can find added support for search—with or without diacritics—in the PDF viewer.
  • The Linux sandbox has been strengthened: processes exposed to web content no longer have access to the X Window system (X11).
  • Firefox now supports credit card autofill and capture in Germany, France, and the United Kingdom.
  • We now support captions/subtitles display on YouTube, Prime Video, and Netflix videos you watch in Picture-in-Picture. Just turn on the subtitles on the in-page video player, and they will appear in PiP.
  • Picture-in-Picture now also supports video captions on websites that use Web Video Text Track (WebVTT) format (e.g., Coursera.org, Canadian Broadcasting Corporation, and many more).
  • On the first run after install, Firefox detects when its language does not match the operating system language and offers the user a choice between the two languages.
  • Firefox spell checking now checks spelling in multiple languages. To enable additional languages, select them in the text field’s context menu.
  • HDR video is now supported in Firefox on Mac—starting with YouTube! Firefox users on macOS 11+ (with HDR-compatible screens) can enjoy higher-fidelity video content. No need to manually flip any preferences to turn HDR video support on—just make sure battery preferences are NOT set to “optimize video streaming while on battery”.
  • Hardware-accelerated AV1 video decoding is enabled on Windows with supported GPUs (Intel Gen 11+, AMD RDNA 2 Excluding Navi 24, GeForce 30). Installing the AV1 Video Extension from the Microsoft Store may also be required.
  • Video overlay is enabled on Windows for Intel GPUs, reducing power usage during video playback.
  • Improved fairness between painting and handling other events. This noticeably improves the performance of the volume slider on Twitch.
  • Scrollbars on Linux and Windows 11 won't take space by default. On Linux, users can change this in Settings. On Windows, Firefox follows the system setting (System Settings > Accessibility > Visual Effects > Always show scrollbars).
  • Firefox now ignores less restricted referrer policies—including unsafe-url, no-referrer-when-downgrade, and origin-when-cross-origin—for cross-site subresource/iframe requests to prevent privacy leaks from the referrer.
  • Reading is now easier with the prefers-contrast media query, which allows sites to detect if the user has requested that web content is presented with a higher (or lower) contrast.
  • All non-configured MIME types can now be assigned a custom action upon download completion.
  • Firefox now allows users to use as many microphones as they want, at the same time, during video conferencing. The most exciting benefit is that you can easily switch your microphones at any time (if your conferencing service provider enables this flexibility).
  • Print preview has been updated.

Fixed

• Various security fixes.

Developer

Developer Information

 

[The Firefox/Mozilla Thread]

ff v91.11.0 esr

28. june 2022

Fixed

• Various stability, functionality, and security fixes.

Quote

Security Vulnerabilities fixed in Firefox ESR 91.11

Announced June 28, 2022

Impact high

Products Firefox ESR

Fixed in

• Firefox ESR 91.11

Note: While Bug 1771084 does not represent a specific vulnerability that was fixed, we recommend anyone rebasing patches to include it. 102 branch: Patch 1 and 2. 91 Branch: Patch 1 and 2 (Despite saying Parts 2 and 3, there is no Part 1)

#CVE-2022-34479: A popup window could be resized in a way to overlay the address bar with web content

Reporter Irvan Kurniawan

Impact high

Description

A malicious website that could create a popup could have resized the popup to overlay the address bar with its own content, resulting in potential user confusion or spoofing attacks.
This bug only affects Firefox for Linux. Other operating systems are unaffected.

References

• Bug 1745595

#CVE-2022-34470: Use-after-free in nsSHistory

Reporter Armin Ebert

Impact high

Description

Navigations between XML documents may have led to a use-after-free and potentially exploitable crash.

References

• Bug 1765951

#CVE-2022-34468: CSP sandbox header without `allow-scripts` can be bypassed via retargeted javascript: URI

Reporter Armin Ebert

Impact high

Description

An iframe that was not permitted to run scripts could do so if the user clicked on a javascript: link.

References

• Bug 1768537

#CVE-2022-34481: Potential integer overflow in ReplaceElementsAt

Reporter Ronald Crane

Impact moderate

Description

In the nsTArray_Impl::ReplaceElementsAt() function, an integer overflow could have occurred when the number of elements to replace was too large for the container.

References

• Bug 1497246

#CVE-2022-31744: CSP bypass enabling stylesheet injection

Reporter Gertjan

Impact moderate

Description

An attacker could have injected CSS into stylesheets accessible via internal URIs, such as resource:, and in doing so bypass a page's Content Security Policy.

References

• Bug 1757604

#CVE-2022-34472: Unavailable PAC file resulted in OCSP requests being blocked

Reporter Laurent Bigonville

Impact moderate

Description

If there was a PAC URL set and the server that hosts the PAC was not reachable, OCSP requests would have been blocked, resulting in incorrect error pages being shown.

References

• Bug 1770123

#CVE-2022-34478: Microsoft protocols can be attacked if a user accepts a prompt

Reporter Gijs

Impact moderate

Description

The ms-msdt, search, and search-ms protocols deliver content to Microsoft applications, bypassing the browser, when a user accepts a prompt. These applications have had known vulnerabilities, exploited in the wild (although we know of none exploited through Firefox), so in this release Firefox has blocked these protocols from prompting the user to open them.
This bug only affects Firefox on Windows. Other operating systems are unaffected.

References

• Bug 1773717

#CVE-2022-2200: Undesired attributes could be set as part of prototype pollution

Reporter Manfred Paul via Trend Micro's Zero Day Initiative

Impact moderate

Description

If an object prototype was corrupted by an attacker, they would have been able to set undesired attributes on a JavaScript object, leading to privileged code execution.

References

• Bug 1771381

#CVE-2022-34484: Memory safety bugs fixed in Firefox 102 and Firefox ESR 91.11

Reporter Mozilla developers and community

Impact high

Description

The Mozilla Fuzzing Team reported potential vulnerabilities present in Firefox 101 and Firefox ESR 91.10. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

References

• Memory safety bugs fixed in Firefox 102 and Firefox ESR 91.11

[The Firefox/Mozilla Thread]

ff v102.0

28. june 2022

New

• Tired of too many windows crowding your screen? You can now disable automatic opening of the download panel every time a new download starts. Read more.

• Firefox now mitigates query parameter tracking when navigating sites if you have enabled strict mode for Enhanced Tracking Protection.

Fixed

• When using a screen reader on Windows, pressing enter to activate an element no longer fails or clicks the wrong element and/or another application window. For those blind or with very limited vision, this technology reads out loud what is on the screen, and users can adapt them to their needs (now, on our platform, without errors).

• Various security fixes.

Changed

• Improved security by moving audio decoding into a separate process with stricter sandboxing, thus improving process isolation.

Enterprise

• Various bug fixes and new policies have been implemented in the latest version of Firefox. You can find more information in the Firefox for Enterprise 102 Release Notes.

• Firefox 102 is the new Extended Support Release (ESR). Firefox 91 ESR goes out of support on September 20, 2022. (See the 102 ESR release notes for more information)

Developer

Developer Information

• You can now filter style sheets in the Style Editor tab of our developer tools

Web Platform

• TransformStream and ReadableStream.pipeThrough have landed, allowing you to pipe from a ReadableStream to a WritableStream, executing a transformation on each chunk.

• ReadableStream, TransformStream, and WritableStream are all transferable now.

• Firefox now supports Content-Security-Policy (CSP) integration with WebAssembly. A document with a CSP that restricts scripts will no longer execute WebAssembly unless the policy uses 'unsafe-eval' or the new 'wasm-unsafe-eval' keyword.

[The Firefox/Mozilla Thread]

ff v101.0.1

09. june 2022

Fixed

• Fixed Firefox clearing the clipboard when closing on macOS (bug 1771823)

• Fixed a compatibility issue causing severely impaired functionality with win32k lockdown enabled on some Windows systems (bug 1769845)

• Fixed context menus not appearing when right-clicking Picture-in-Picture windows on some Linux systems (bug 1771914)

• Various stability fixes

[The Firefox/Mozilla Thread]

ff v91.10.0 esr

31. may 2022

Fixed

• Various stability, functionality, and security fixes.

Quote

Security Vulnerabilities fixed in Firefox ESR 91.10

Announced May 31, 2022

Impact high

Products Firefox ESR

Fixed in

• Firefox ESR 91.10

#CVE-2022-31736: Cross-Origin resource's length leaked

Reporter Luan Herrera

Impact high

Description

A malicious website could have learned the size of a cross-origin resource that supported Range requests.

References

• Bug 1735923

#CVE-2022-31737: Heap buffer overflow in WebGL

Reporter Atte Kettunen

Impact high

Description

A malicious webpage could have caused an out-of-bounds write in WebGL, leading to memory corruption and a potentially exploitable crash.

References

• Bug 1743767

#CVE-2022-31738: Browser window spoof using fullscreen mode

Reporter Irvan Kurniawan

Impact high

Description

When exiting fullscreen mode, an iframe could have confused the browser about the current state of fullscreen, resulting in potential user confusion or spoofing attacks.

References

• Bug 1756388

#CVE-2022-31739: Attacker-influenced path traversal when saving downloaded files

Reporter Chaobin Zhang

Impact high

Description

When downloading files on Windows, the % character was not escaped, which could have lead to a download incorrectly being saved to attacker-influenced paths that used variables such as %HOMEPATH% or %APPDATA%.
This bug only affects Firefox for Windows. Other operating systems are unaffected.

References

• Bug 1765049

#CVE-2022-31740: Register allocation problem in WASM on arm64

Reporter Gary Kwong

Impact high

Description

On arm64, WASM code could have resulted in incorrect assembly generation leading to a register allocation problem, and a potentially exploitable crash.

References

• Bug 1766806

#CVE-2022-31741: Uninitialized variable leads to invalid memory read

Reporter Yaniv

Impact high

Description

A crafted CMS message could have been processed incorrectly, leading to an invalid memory read, and potentially further memory corruption.

References

• Bug 1767590

#CVE-2022-31742: Querying a WebAuthn token with a large number of allowCredential entries may have leaked cross-origin information

Reporter Michal

Impact moderate

Description

An attacker could have exploited a timing attack by sending a large number of allowCredential entries and detecting the difference between invalid key handles and cross-origin key handles. This could have led to cross-origin account linking in violation of WebAuthn goals.

References

• Bug 1730434

#CVE-2022-31747: Memory safety bugs fixed in Firefox 101 and Firefox ESR 91.10

Reporter Mozilla developers and community

Impact high

Description

Mozilla developers Andrew McCreight, Nicolas B. Pierron, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 100 and Firefox ESR 91.9. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

References

• Memory safety bugs fixed in Firefox 101 and Firefox ESR 91.10

[The Firefox/Mozilla Thread]

ff v101.0

31. may 2022

New

• Reading is now easier with the prefers-contrast media query, which allows sites to detect if the user has requested that web content is presented with a higher (or lower) contrast.

• It’s your choice! All non-configured MIME types can now be assigned a custom action upon download completion.

• Firefox now allows users to use as many microphones as you want, at the same time, during video conferencing. The most exciting benefit is that you can easily switch your microphones at any time (if your conferencing service provider enables this flexibility).

Fixed

• Various security fixes.

Changed

• Removed "subject common name" fallback support from certificate validation. This fallback mode was previously enabled only for manually installed certificates. The CA Browser Forum Baseline Requirements have required the presence of the "subjectAltName" extension since 2012, and use of the subject common name was deprecated in RFC 2818.

Enterprise

• Various bug fixes and new policies have been implemented in the latest version of Firefox. You can find more information in the Firefox for Enterprise 101 Release Notes.

Developer

Developer Information

• Inspector panel: When adding/removing a class name to/from an existing HTML element (using .cls button in Rules View), an autocomplete drop down automatically offers all existing class names on the page. In Firefox 101 the selected class name in the autocomplete drop-down list is auto-applied immediately as the user changes the selection of the autocomplete list (using up/down arrow keys). This is especially useful for quick testing of various styles.

• Inspector panel: This new option can be used to disable “drag to update” features in the Rule View (values of some CSS properties e.g., sizes can be modified by dragging the mouse horizontally).

  

• WebDriver BiDi: This protocol is enabled on the release channel to support external tools such as Selenium, which plan to start using WebDriver BiDi for Firefox. WebDriver-BiDi aims to provide a cross-browser protocol for browser automation that meets the requirements of modern web application testing tools. This allows both the client and the server to send & receive requests and responses.

Web Platform

• Firefox new has added support for large, small, dynamic viewport units and logical ones (*vi and *vb). This gives users the flexibility to choose whether page elements are sized to the “smallest” viewport size (dynamic toolbar visible), “largest” viewport size (dynamic toolbar hidden), or “dynamic” viewport size (based on current status of dynamic toolbar).

• Firefox 101 features added web conferencing support for enumerating (reducing errors caused by transposing or mistyping numbers) and selecting multiple audio input devices (giving you the ability to record or process multiple separate audio sources together, synchronously, at once) through navigator.mediaDevices.enumerateDevices().

[The Firefox/Mozilla Thread]

ff v91.9.1 esr

20. may 2022

Fixed

• Security fix

Quote

Security Vulnerabilities fixed in Firefox 100.0.2, Firefox for Android 100.3.0, Firefox ESR 91.9.1, Thunderbird 91.9.1

Announced May 20, 2022

Impact critical

Products Firefox, Firefox ESR, Firefox for Android, Thunderbird

Fixed in

• Firefox 100.0.2
• Firefox ESR 91.9.1
• Firefox for Android 100.3
• Thunderbird 91.9.1

#CVE-2022-1802: Prototype pollution in Top-Level Await implementation

Reporter Manfred Paul via Trend Micro's Zero Day Initiative

Impact critical

Description

If an attacker was able to corrupt the methods of an Array object in JavaScript via prototype pollution, they could have achieved execution of attacker-controlled JavaScript code in a privileged context.

References

• Bug 1770137

#CVE-2022-1529: Untrusted input used in JavaScript object indexing, leading to prototype pollution

Reporter Manfred Paul via Trend Micro's Zero Day Initiative

Impact critical

Description

An attacker could have sent a message to the parent process where the contents were used to double-index into a JavaScript object, leading to prototype pollution and ultimately attacker-controlled JavaScript executing in the privileged parent process.

References

• Bug 1770048

[The Firefox/Mozilla Thread]

ff v100.0.2

20. may 2022

Fixed

• Security fix

[The Firefox/Mozilla Thread]

ff v100.0.1

16. may 2022

Fixed

• Fixed an issue with subtitles in Picture-in-Picture mode while using Netflix (bug 1768818)

• Fixed an issue where some commands were unavailable in the Picture-in-Picture window (bug 1768201)

Changed

• Firefox's security sandbox now blocks access to the Win32k APIs for Content Processes on Windows (bug 1767999)

[The Firefox/Mozilla Thread]

ff v100.0

03. may 2022

New

• We now support captions/subtitles display on YouTube, Prime Video, and Netflix videos you watch in Picture-in-Picture. Just turn on the subtitles on the in-page video player, and they will appear in PiP.

• Picture-in-Picture now also supports video captions on websites that use WebVTT (Web Video Text Track) format, like Coursera.org, Canadian Broadcasting Corporation, and many more.

• On the first run after install, Firefox detects when its language does not match the operating system language and offers the user a choice between the two languages.

• Firefox spell checking now checks spelling in multiple languages. To enable additional languages, select them in the text field’s context menu.

• HDR video is now supported in Firefox on Mac—starting with YouTube! Firefox users on macOS 11+ (with HDR-compatible screens) can enjoy higher-fidelity video content. No need to manually flip any preferences to turn HDR video support on—just make sure battery preferences are NOT set to “optimize video streaming while on battery”.

• Hardware accelerated AV1 video decoding is enabled on Windows with supported GPUs (Intel Gen 11+, AMD RDNA 2 Excluding Navi 24, GeForce 30). Installing the AV1 Video Extension from the Microsoft Store may also be required.

• Video overlay is enabled on Windows for Intel GPUs, reducing power usage during video playback.

• Improved fairness between painting and handling other events. This noticeably improves the performance of the volume slider on Twitch.

• Scrollbars on Linux and Windows 11 won't take space by default. On Linux, users can change this in Settings. On Windows, Firefox follows the system setting (System Settings > Accessibility > Visual Effects > Always show scrollbars).

• Firefox now supports credit card autofill and capture in the United Kingdom.

• Firefox now ignores less restricted referrer policies—including unsafe-url, no-referrer-when-downgrade, and origin-when-cross-origin—for cross-site subresource/iframe requests to prevent privacy leaks from the referrer.

Fixed

• Users can now choose preferred color schemes for websites. Theme authors can now make better decisions about which color scheme Firefox uses for menus. Web content appearance can now be changed in Settings.

• Beginning in this release, the Firefox installer for Windows is signed with a SHA-256 digest, rather than SHA-1. Update KB4474419 is required for successful installation on a computer running Microsoft Windows 7. For more details about this update, visit the Microsoft Technical Support website.

• In macOS 11+ we now only rasterize the fonts once per window. This means that opening a new tab is fast, and switching tabs in the same window is also fast. (There's still work to do to share fonts across windows, or to reduce the time it takes to initialize these fonts.)

• The performance of deeply-nested display: grid elements is greatly improved.

• Support for profiling multiple java threads has been added.

• Soft-reloading a web page will no longer cause revalidation for all resources.

• Non-vsync tasks are given more time to run, which improves behavior on Google docs and Twitch.

• Geckoview APIs have been added to control the start/stop time of capturing a profile.

• Various security fixes.

Changed

• Firefox has a new focus indicator for links which replaces the old dotted outline with a solid blue outline. This change unifies the focus indicators across form fields and links, which makes it easier to identify the focused link, especially for users with low vision.

• New users can now set Firefox as the default PDF handler when setting Firefox as their default browser.

• Some websites might not work correctly in Firefox version 100 due to Firefox's new three-digit number. You can read about it in our blog post here!

  See the Mozilla Support article Difficulties opening or using a website in Firefox 100 for possible workarounds you can use. There, you will also find instructions for reporting a broken website so that Mozilla can help fix the problem.

  Mozilla Support articles for Desktop and Android:
  https://support.mozilla.org/kb/difficulties-opening-or-using-website-firefox-100
  https://support.mozilla.org/kb/difficulties-firefox-android-100

Enterprise

• Various bug fixes and new policies have been implemented in the latest version of Firefox. You can find more information in the Firefox for Enterprise 100 Release Notes.

Developer

Developer Information

Web Platform

• Support for the WritableStream API has landed. WritableStreams provide an interface for writing streaming data to a sink object.

• Additionally, ReadableStream gained support for the “pipeTo” method, which allows you to connect a ReadableStream to a WritableStream. For example, this would allow you to process data retrieved using “fetch” with the WritableStream Sink object.

• Support for WASM Exceptions is now available. This allows C++ exception handling and unwinding/destructing semantics to be expressed in WASM without an additional JavaScript helper code—and at zero cost to code that does not rely on exception semantics.

[The Firefox/Mozilla Thread]

ff v91.9.0 esr

03. may 2022

Fixed

• Various stability, functionality, and security fixes.

Quote

Security Vulnerabilities fixed in Firefox ESR 91.9

Announced May 3, 2022

Impact high

Products Firefox ESR

Fixed in

• Firefox ESR 91.9

#CVE-2022-29914: Fullscreen notification bypass using popups

Reporter Irvan Kurniawan

Impact high

Description

When reusing existing popups Firefox would have allowed them to cover the fullscreen notification UI, which could have enabled browser spoofing attacks.

References

• Bug 1746448

#CVE-2022-29909: Bypassing permission prompt in nested browsing contexts

Reporter Armin Ebert

Impact high

Description

Documents in deeply-nested cross-origin browsing contexts could have obtained permissions granted to the top-level origin, bypassing the existing prompt and wrongfully inheriting the top-level permissions.

References

• Bug 1755081

#CVE-2022-29916: Leaking browser history with CSS variables

Reporter Mateusz Sionkowski

Impact high

Description

Firefox behaved slightly differently for already known resources when loading CSS resources involving CSS variables. This could have been used to probe the browser history.

References

• Bug 1760674

#CVE-2022-29911: iframe Sandbox bypass

Reporter Trung Pham

Impact high

Description

An improper implementation of the new iframe sandbox keyword allow-top-navigation-by-user-activation could lead to script execution without allow-scripts being present.

References

• Bug 1761981

#CVE-2022-29912: Reader mode bypassed SameSite cookies

Reporter Matheus Vrech

Impact moderate

Description

Requests initiated through reader mode did not properly omit cookies with a SameSite attribute.

References

• Bug 1692655

#CVE-2022-29917: Memory safety bugs fixed in Firefox 100 and Firefox ESR 91.9

Reporter Mozilla developers

Impact high

Description

Mozilla developers Andrew McCreight, Gabriele Svelto, Tom Ritter and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 99 and Firefox ESR 91.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

References

• Memory safety bugs fixed in Firefox 100 and Firefox ESR 91.9

 

[The Firefox/Mozilla Thread]

ff v99.0.1

12. april 2022

Fixed

• Fixed an issue for Windows users that prevented hardware video decoding on newer Intel drivers (bug 1762125)

• Fixed an issue with text rendering in Bengali (bug 1763368)

• Fixed a selection issue in the Download panel with drag and drop (bug 1762723)

• Fixed an issue preventing Zoom gallery mode for users who go to zoom.us URLs instead of subdomain.zoom.us URLs (bug 1763801)

[The Firefox/Mozilla Thread]

ff v91.8.0 esr

05. april 2022

Various stability, functionality, and security fixes

Quote

Security Vulnerabilities fixed in Firefox ESR 91.8

Announced April 5, 2022

Impact high

Products Firefox ESR

Fixed in

• Firefox ESR 91.8

#CVE-2022-1097: Use-after-free in NSSToken objects

Reporter Randell Jesup

Impact high

Description

NSSToken objects were referenced via direct points, and could have been accessed in an unsafe way on different threads, leading to a use-after-free and potentially exploitable crash.

References

• Bug 1745667

#CVE-2022-28281: Out of bounds write due to unexpected WebAuthN Extensions

Reporter Axel '0vercl0k' Souchet

Impact high

Description

If a compromised content process sent an unexpected number of WebAuthN Extensions in a Register command to the parent process, an out of bounds write would have occurred leading to memory corruption and a potentially exploitable crash.

References

• Bug 1755621

#CVE-2022-1196: Use-after-free after VR Process destruction

Reporter bo13oy of Cyber Kunlun Lab

Impact moderate

Description

After a VR Process is destroyed, a reference to it may have been retained and used, leading to a use-after-free and potentially exploitable crash.

References

• Bug 1750679

#CVE-2022-28282: Use-after-free in DocumentL10n::TranslateDocument

Reporter Kirin

Impact moderate

Description

By using a link with rel="localization" a use-after-free could have been triggered by destroying an object during JavaScript execution and then referencing the object through a freed pointer, leading to a potential exploitable crash.

References

• Bug 1751609

#CVE-2022-28285: Incorrect AliasSet used in JIT Codegen

Reporter Lukas Bernhard

Impact moderate

Description

When generating the assembly code for MLoadTypedArrayElementHole, an incorrect AliasSet was used. In conjunction with another vulnerability this could have been used for an out of bounds memory read.

References

• Bug 1756957

#CVE-2022-28286: iframe contents could be rendered outside the border

Reporter prada960808

Impact low

Description

Due to a layout change, iframe contents could have been rendered outside of its border. This could have led to user confusion or spoofing attacks.

References

• Bug 1735265

#CVE-2022-24713: Denial of Service via complex regular expressions

Reporter Addison Crump and Jan-Erik Rediger

Impact low

Description

The rust regex crate did not properly prevent crafted regular expressions from taking an arbitrary amount of time during parsing. If an attacker was able to supply input to this crate, they could have caused a denial of service in the browser.

References

• Bug 1758509

#CVE-2022-28289: Memory safety bugs fixed in Firefox 99 and Firefox ESR 91.8

Reporter Mozilla developers and community

Impact high

Description

Mozilla developers and community members Nika Layzell, Andrew McCreight, Gabriele Svelto, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 98 and Firefox ESR 91.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

References

• Memory safety bugs fixed in Firefox 99 and Firefox ESR 91.8

[The Firefox/Mozilla Thread]

ff v99.0

05. april 2022

New

• You can now toggle Narrate in ReaderMode with the keyboard shortcut "n."

• You can find added support for search—with or without diacritics—in the PDF viewer.

• The Linux sandbox has been strengthened: processes exposed to web content no longer have access to the X Window system (X11).

• Firefox now supports credit card autofill and capture in Germany and France.

Fixed

• Various security fixes.

Enterprise

• Various bug fixes and new policies have been implemented in the latest version of Firefox. You can find more information in the Firefox for Enterprise 99 Release Notes.

Developer

Developer Information

unresolved

• Gallery mode in the Zoom web client is now accessible in Firefox 99. Display of video is not always working with breakout rooms in gallery mode.

  • When a user of the Zoom web client enters a breakout room, one's self view and of other participants may not appear. Leaving the breakout room and re-entering it should resolve the issue.

[The Firefox/Mozilla Thread]

ff v98.0.2

23. march 2022

Fixed

• Fixed an issue preventing users from typing in Address Bar after opening new tab and pressing cmd + enter (bug 1757376)

• Fixed an issue causing some users to crash in out-of-memory conditions (bug 1757618)

• Fixed an issue in session history which caused some sites to fail to load (bug 1758664)

• Fixed an add-on specific compatibility issue (bug 1759162)

[I had to abort at 99% to shutdown my pc. Now its taking hours to defrag again]

Ps: in your case with an "not os drive" try the "file defrag" like another post above

I mean this would work faster too.

[I had to abort at 99% to shutdown my pc. Now its taking hours to defrag again]

...

what size in the middle have your fragmended files?

190 - 248 mb?

 

how full is your 2 tb hdd? not only this 100 or 170 gb or?

with usb 3 connection perhaps it would be faster (defrag) if you copy your whole drive to another (and back again - with another external can you save this time of course :-) ). perhaps this can help faster as 13 hours or so

on the other side - with usb 2 it seems to be also fine, the external hdd cant read the files faster

[The Firefox/Mozilla Thread]

ff v91.7.1 esr

14. march 2022

Changed

• Yandex and Mail.ru have been removed as optional search providers in the drop-down search menu in Firefox.

  If you previously installed a customized version of Firefox with Yandex or Mail.ru, offered through partner distribution channels, this release removes those customizations, including add-ons and default bookmarks. Where applicable, your browser will revert back to default settings, as offered by Mozilla. All other releases of Firefox remain unaffected by the change.

[The Firefox/Mozilla Thread]

ff v98.0.1

14. march 2022

Changed

• Yandex and Mail.ru have been removed as optional search providers in the drop-down search menu in Firefox.

  If you previously installed a customized version of Firefox with Yandex or Mail.ru, offered through partner distribution channels, this release removes those customizations, including add-ons and default bookmarks. Where applicable, your browser will revert back to default settings, as offered by Mozilla. All other releases of Firefox remain unaffected by the change.

[The Firefox/Mozilla Thread]

ff v91.7.0 esr

08. march 2022

Fixed

• Various stability, functionality, and security fixes

Quote

Security Vulnerabilities fixed in Firefox ESR 91.7

Announced March 8, 2022

Impact high

Products Firefox ESR

Fixed in

• Firefox ESR 91.7

#CVE-2022-26383: Browser window spoof using fullscreen mode

Reporter Irvan Kurniawan

Impact high

Description

When resizing a popup after requesting fullscreen access, the popup would not display the fullscreen notification.

References

• Bug 1742421

#CVE-2022-26384: iframe allow-scripts sandbox bypass

Reporter Ed McManus

Impact high

Description

If an attacker could control the contents of an iframe sandboxed with allow-popups but not allow-scripts, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox.

References

• Bug 1744352

#CVE-2022-26387: Time-of-check time-of-use bug when verifying add-on signatures

Reporter Armin Ebert

Impact high

Description

When installing an add-on, Firefox verified the signature before prompting the user; but while the user was confirming the prompt, the underlying add-on file could have been modified and Firefox would not have noticed.

References

• Bug 1752979

#CVE-2022-26381: Use-after-free in text reflows

Reporter Mozilla Fuzzing Team and Hossein Lotfi of Trend Micro Zero Day Initiative

Impact high

Description

An attacker could have caused a use-after-free by forcing a text reflow in an SVG object leading to a potentially exploitable crash.

References

• Bug 1736243

#CVE-2022-26386: Temporary files downloaded to /tmp and accessible by other local users

Reporter attila

Impact low

Description

Previously Firefox for macOS and Linux would download temporary files to a user-specific directory in /tmp, but this behavior was changed to download them to /tmp where they could be affected by other local users. This behavior was reverted to the original, user-specific directory.
This bug only affects Firefox for macOS and Linux. Other operating systems are unaffected.

References

• Bug 1752396

[The Firefox/Mozilla Thread]

ff v98.0

08. march 2022

New

• Firefox has a new optimized download flow. Instead of prompting every time, files will download automatically. However, they can still be opened from the downloads panel with just one click. Easy! More information

  

  You’ll find you have a number of options, including:

  • Always Open Similar Files: Make Firefox automatically open downloaded files of the same type with the system default application.
  • Show In Folder: Open the folder that contains your downloaded files.
  • Go To Download Page: Surfaces the download reference page even after leaving the site or closing the tab.
  • Copy Download Link: Copy the download link to share it, save it, or for any applicable use.
  • Delete: You can now delete downloaded files directly from the download panel and other download views using the context menu.
  • Remove From History: Remove a file from your list of downloaded files.
  • Clear Preview Panel: Clear the list of downloaded items in the preview panel that opens when you start a download.

  In this release, you’ll also see that Firefox no longer asks what to do for each file by default. You won’t be prompted to choose a helper application or save to disk before downloading a file unless you have changed your download action setting for that type of file.

  And now, every time you start a download, Firefox will automatically bring up the Downloads panel by default. This means you’ll experience minimal interruptions and easily find your downloaded files. Plus, to avoid having to close it several times, the panel won't show if there are multiple downloads in progress.

  You can now click on a file in the Downloads panel to open it even before it has finished downloading. Firefox will open the file as soon as it is available. Firefox: saving you time and helping you get back to what you care about!

  Any files you download will be immediately saved on your disk. Depending on the current configuration, they’ll be saved in your preferred download folder, or you’ll be asked to select a location for each download. Windows and Linux users will find their downloaded files in the destination folder. They’ll no longer be put in the Temp folder.

• Firefox allows users to choose from a number of built-in search engines to set as their default. In this release, some users who had previously configured a default engine might notice their default search engine has changed since Mozilla was unable to secure formal permission to continue including certain search engines in Firefox.

Fixed

• Now, you can set a default app to open a file type. Choose the application you want to use to open files of a specific type in your Firefox settings.

• After updating to Firefox version 98, "Always ask" download actions will now be reset.

• Various security fixes.

Enterprise

• Various bug fixes and new policies have been implemented in the latest version of Firefox. You can find more information in the Firefox for Enterprise 98 Release Notes.

Developer

Developer Information

• The Compatibility sidebar panel in the DevTools Inspector already available on pre-release channels will become available on the release channel in version 98 . It provides compatibility warnings for the CSS properties used on the selected element, as well as for the overall page.

  Developers may use it to detect web-compatibility issues early, without having to test in each browser. All compatibility data are pulled from MDN.

• Event listeners for a given node can now be disabled from the Inspector Event Tooltip, in the markup view. Also, The "event" badge style is updated when at least one event is disabled to remind the user that something was changed.
  

• New UI in the Browser Toolbox to toggle Fluent pseudolocalization bidi / accented
  

• “Ignore line” context menu entry added in the debugger editor gutter when devtools.debugger.features.blackbox-lines is true. Also, there is a better “Ignore source” icon and editor background colors for ignored lines.
  

• Auto-open devtools for tabs opened via window.open (behind devtools.popups.debug). On a page where you already have DevTools opened, if a new tab is created via window.open, the toolbox will automatically move to the new tab, with the new document selected in both the iframe picker and the context selector
  

Web Platform

• The <dialog> HTML element already available on pre-release channels will become available on the release channel in version 98.

• Form associated custom elements will become available on the release channel in version 98. This allows web authors to define and create custom elements that can be participated in form submission.

• The hyphenate-character CSS property can be used to set a string that is used instead of a hyphen character (-) at the end of a hyphenation line break.

[The Firefox/Mozilla Thread]

ff v91.6.1 esr

05. march 2022

Fixed

• Security fix

Quote

Security Vulnerabilities fixed in Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0, and Focus 97.3.0

Announced March 5, 2022

Impact high

Products Firefox, Firefox ESR, Firefox for Android, Focus, Thunderbird

Fixed in

• Firefox 97.0.2
• Firefox ESR 91.6.1
• Firefox for Android 97.3
• Focus 97.3
• Thunderbird 91.6.2

#CVE-2022-26485: Use-after-free in XSLT parameter processing

Reporter Wang Gang, Liu Jialei, Du Sihang, Huang Yi & Yang Kang of 360 ATA

Impact critical

Description

Removing an XSLT parameter during processing could have lead to an exploitable use-after-free. We have had reports of attacks in the wild abusing this flaw.

References

• Bug 1758062

#CVE-2022-26486: Use-after-free in WebGPU IPC Framework

Reporter Wang Gang, Liu Jialei, Du Sihang, Huang Yi & Yang Kang of 360 ATA

Impact critical

Description

An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. We have had reports of attacks in the wild abusing this flaw.

References

• Bug 1758070

[The Firefox/Mozilla Thread]

ff v97.0.2

05. march 2022

Fixed

• Security fix

[The Firefox/Mozilla Thread]

ff v97.0.1

17. feb 2022

Fixed

• Fixed an issue where TikTok videos would fail to load when selected from a user's profile page (bug 1750973)

• Fixed an issue which led to Picture-in-Picture mode being unable to be toggled on Hulu (bug 1753401)

• Works around problems with WebRoot SecureAnywhere antivirus rendering Firefox unusable in some situations (bug 1752466)

• Fixed an issue causing users to see the Restore Session screen unexpectedly when starting Firefox (bug 1749996)

[Speccy is listing "Kaspersky Internet Security" as enabled Antivirus program]

There is a bit from kasper in your system, but ... perhaps a folder, file or a registry entry