The Firefox/Mozilla Thread

[trium]

ff v68.5.0 esr

 

11. feb. 2020

 

Fixed

• Various stability and security fixes

Developer

• Developer Information

 

Quote

Security Vulnerabilities fixed in Firefox ESR68.5

#CVE-2020-6796: Missing bounds check on shared memory read in the parent process

Reporter

Thomas Imbert

Impact

high

Description

A content process could have modified shared memory relating to crash reporting information, crash itself, and cause an out-of-bound write. This could have caused memory corruption and a potentially exploitable crash.

References

• Bug 1610426

#CVE-2020-6797: Extensions granted downloads.open permission could open arbitrary applications on Mac OSX

Reporter

Vladimir Metnew

Impact

moderate

Description

By downloading a file with the .fileloc extension, a semi-privileged extension could launch an arbitrary application on the user's computer. The attacker is restricted as they are unable to download non-quarantined files or supply command line arguments to the application, limiting the impact.
Note: this issue only occurs on Mac OSX. Other operating systems are unaffected.

References

• Bug 1596668

#CVE-2020-6798: Incorrect parsing of template tag could result in JavaScript injection

Reporter

terjanq

Impact

moderate

Description

If a <template> tag was used in a <select%gt; tag, the parser could be confused and allow JavaScript parsing and execution when it should not be allowed. A site that relied on the browser behaving correctly could suffer a cross-site scripting vulnerability as a result.

References

• Bug 1602944

#CVE-2020-6799: Arbitrary code execution when opening pdf links from other applications, when Firefox is configured as default pdf reader

Reporter

Joshua Graham & Brendan Scarvell

Impact

moderate

Description

Command line arguments could have been injected during Firefox invocation as a shell handler for certain unsupported file types. This required Firefox to be configured as the default handler for a given file type and for a file downloaded to be opened in a third party application that insufficiently sanitized URL data. In that situation, clicking a link in the third party application could have been used to retrieve and execute files whose location was supplied through command line arguments.
Note: This issue only affects Windows operating systems and when Firefox is configured as the default handler for non-default filetypes. Other operating systems are unaffected.

References

• Bug 1606596

#CVE-2020-6800: Memory safety bugs fixed in Firefox 73 and Firefox ESR 68.5

Reporter

Mozilla developers and community

Impact

high

Description

Mozilla developers and community members Raul Gurzau, Tyson Smith, Bob Clary, Liz Henry, and Christian Holler reported memory safety bugs present in Firefox 72 and Firefox ESR 68.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

References

• Memory safety bugs fixed in Firefox 73 and Firefox ESR 68.5

 

[trium]

ff v73.0.1

 

18. feb 2020

 

Fixed

• Fixed crashes on Windows systems running third-party security software such as 0patch or G DATA (bug 1610790)

• Fixed loss of browser functionality in certain circumstances such as running in Windows compatibility mode or having custom anti-exploit settings (bug 1614885)

• Resolved problems connecting to the RBC Royal Bank website (bug 1613943)

• Fixed Firefox unexpectedly exiting when leaving Print Preview mode (bug 1611133)

• Fixed crashes when playing encrypted content on some Linux systems (bug 1614535)

[trium]

ff v74.0

 

10. march 2020

 

New

• Your login management has improved with the ability to reverse alpha sort (Name Z-A) in Lockwise, which you can access under Logins and Passwords.

• Firefox now makes importing your bookmarks and history from the new Microsoft Edge browser on Windows and Mac simple.

• Add-ons installed by external applications can now be removed using the Add-ons Manager (about:addons). Going forward, only users can install add-ons; they cannot be installed by an application.

• Facebook Container prevents Facebook from tracking you around the web - Facebook logins, likes, and comments are automatically blocked on non-Facebook sites. But when you need an exception, you can now create one by adding custom sites to the Facebook Container.

• Firefox now provides better privacy for your web voice and video calls through support for mDNS ICE by cloaking your computer’s IP address with a random ID in certain WebRTC scenarios.

Fixed

• Various security fixes.

• We have fixed issues involving pinned tabs such as being lost. You should also no longer see them reorder themselves.

Changed

• When a video is uploaded with a batch of photos on Instagram, the Picture-in-Picture toggle would sit atop of the “next” button. The toggle is now moved allowing you to flip through to the next image of the batch.

• On Windows, Ctrl+I can now be used to open the Page Info window instead of opening the Bookmarks sidebar. Ctrl+B still opens the Bookmarks sidebar making keyboard shortcuts more useful for our users.

• We have disabled TLS 1.0 and TLS 1.1 to improve your website connections. Sites that don't support TLS version 1.2 will now show an error page.

Developer

Developer Information

• Firefox’s Debugger added support for debugging Nested Web Workers, so their execution can be paused and stepped through with breakpoints

Web Platform

• Firefox has added support for the new JavaScript optional chaining operator (?.) and CSS text-underline-position.

[trium]

ff v68.6.0 esr

 

10. march 2020

 

Fixed

• Various stability and security fixes

 

Quote

 

Security Vulnerabilities fixed in Firefox ESR 68.6

Announced March 10, 2020

Impact high

Products Firefox ESR

Fixed in

• Firefox ESR 68.6

#CVE-2020-6805: Use-after-free when removing data about origins

Reporter Brian Carpenter

Impact high

Description

When removing data about an origin whose tab was recently closed, a use-after-free could occur in the Quota manager, resulting in a potentially exploitable crash.

References

• Bug 1610880

#CVE-2020-6806: BodyStream::OnInputStreamReady was missing protections against state confusion

Reporter Sergei Glazunov of Google Project Zero

Impact high

Description

By carefully crafting promise resolutions, it was possible to cause an out-of-bounds read off the end of an array resized during script execution. This could have led to memory corruption and a potentially exploitable crash.

References

• Bug 1612308

#CVE-2020-6807: Use-after-free in cubeb during stream destruction

Reporter C.M.Chang

Impact high

Description

When a device was changed while a stream was about to be destroyed, the stream-reinit task may have been executed after the stream was destroyed, causing a use-after-free and a potentially exploitable crash.

References

• Bug 1614971

#CVE-2020-6811: Devtools' 'Copy as cURL' feature did not fully escape website-controlled data, potentially leading to command injection

Reporter Ophir LOJKINE

Impact moderate

Description

The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP method of a request, which can be controlled by the website. If a user used the 'Copy as Curl' feature and pasted the command into a terminal, it could have resulted in command injection and arbitrary command execution.

References

• Bug 1607742

#CVE-2019-20503: Out of bounds reads in sctp_load_addresses_from_init

Reporter Natalie Silvanovich of Google Project Zero

Impact moderate

Description

The inputs to sctp_load_addresses_from_init are verified by sctp_arethere_unrecognized_parameters; however, the two functions handled parameter bounds differently, resulting in out of bounds reads when parameters are partially outside a chunk.

References

• Bug 1613765

#CVE-2020-6812: The names of AirPods with personally identifiable information were exposed to websites with camera or microphone permission

Reporter Jan-Ivar Bruaroey

Impact moderate

Description

The first time AirPods are connected to an iPhone, they become named after the user's name by default (e.g. Jane Doe's AirPods.) Websites with camera or microphone permission are able to enumerate device names, disclosing the user's name. To resolve this issue, Firefox added a special case that renames devices containing the substring 'AirPods' to simply 'AirPods'.

References

• Bug 1616661

#CVE-2020-6814: Memory safety bugs fixed in Firefox 74 and Firefox ESR 68.6

Reporter Mozilla developers and community

Impact high

Description

Mozilla developers and community members Byron Campen, Jason Kratzer, and Christian Holler reported memory safety bugs present in Firefox 73 and Firefox ESR 68.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

References

• Memory safety bugs fixed in Firefox 74 and Firefox ESR 68.6

 

 

[trium]

ff v74.0.1

 

03. april 2020

 

Fixed

• Security fixes

[trium]

ff v68.6.1 esr

 

03. april 2020

 

Fixed

• Security fixes

 

 

Quote

 

Security Vulnerabilities fixed in Firefox 74.0.1 and Firefox ESR 68.6.1

Announced April 3, 2020

Impact critical

Products Firefox, Firefox ESR

Fixed in

• Firefox 74.0.1
• Firefox ESR 68.6.1

#CVE-2020-6819: Use-after-free while running the nsDocShell destructor

Reporter Francisco Alonso @revskills working with Javier Marcos of @JMPSec

Impact critical

Description

Under certain conditions, when running the nsDocShell destructor, a race condition can cause a use-after-free. We are aware of targeted attacks in the wild abusing this flaw.

References

• Bug 1620818

#CVE-2020-6820: Use-after-free when handling a ReadableStream

Reporter Francisco Alonso @revskills working with Javier Marcos of @JMPSec

Impact critical

Description

Under certain conditions, when handling a ReadableStream, a race condition can cause a use-after-free. We are aware of targeted attacks in the wild abusing this flaw.

References

• Bug 1626728

 

•  

[hazelnut]

Firefox 75 comes with a new telemetry agent that sends information about your operating system and your default browser to Firefox every day. This guide will walk you through disabling this "feature" to protect your privacy.

For some time, Firefox has been collecting telemetry data about how you use the browser, such as the number of web pages you visit, safebrowsing information, the number of open tabs and windows, what add-ons are installed, and more.

This telemetry data is kept for 13 months and IP addresses listed in server logs are deleted every 30 days.

On my computer, Firefox has collected over 400KB of information.

https://www.bleepingcomputer.com/news/software/firefox-now-tells-mozilla-what-your-default-browser-is-every-day/

[nukecad]

No problem here.

I already had the telemetry (and studies) turned off in Options>Privacy & Security.

Updating to Firefox 75 has respected those settings, they are still off..

No scheduled task has been created.

[nikki605]

Thanks for the telemetry agent info. I changed the options in Firefox.

I also deleted the scheduled task but I wonder if it will be recreated on subsequent Firefox updates. @nukecad said it didn't on his, so I hope it continues that way because I'll forget to check.

[nukecad]

36 minutes ago, nikki605 said:

Thanks for the telemetry agent info. I changed the options in Firefox.

I also deleted the scheduled task but I wonder if it will be recreated on subsequent Firefox updates. @nukecad said it didn't on his, so I hope it continues that way because I'll forget to check.

I think the bleepingcomputer article is more aimed at those who didn't already know about the telemetry options and so hadn't previously turned them off.

(TBH I think a lot of it is copied/updated from an older, 2017?, article about Firefox telemetry, some of the pathnames and registry entries are different on my Win 10 1909 build 18363.752).

[trium]

ff v75.0

 

07. april 2020

 

New

• With today's release, a number of improvements will help you search smarter, faster. Type less and find more with Firefox's revamped address bar:

  • Focused, clean search experience that's optimized for smaller laptop screens
  • Top sites now appear when you select the address
  • Improved readability of search suggestions with a focus on new search terms
  • Suggestions include solutions to common Firefox issues
  • On Linux, the behavior when clicking on the Address Bar and the Search Bar now matches other desktop platforms: a single click selects all without primary selection, a double click selects a word, and a triple click selects all with primary selection

• Firefox will locally cache all trusted Web PKI Certificate Authority certificates known to Mozilla. This will improve HTTPS compatibility with misconfigured web servers and improve security.

• Firefox is now available in Flatpak, an easier way to install and use Firefox on Linux.

• Direct Composition is being integrated for our users on Windows to help improve performance and enable our ongoing work to ship WebRender on Windows 10 laptops with Intel graphics cards.

Fixed

• Various security fixes

Enterprise

• Experimental support for using client certificates from the OS certificate store can be enabled on macOS by setting the preference security.osclientcerts.autoload to true.

• Enterprise policies may be used to exclude domains from being resolved via TRR (Trusted Recursive Resolver) using DNS over HTTPS.

Developer

Developer Information

• Save bandwidth and reduce browser memory by using the loading attribute on the <img> element. The default "eager" value loads images immediately, and the "lazy" value delays loading until the image is within range of the viewport.

• Instant evaluation for Console expressions lets developers identify and fix errors more rapidly than before. As long as expressions typed into the Web Console are side-effect free, their results will be previewed while you type.

[trium]

ff v68.7.0 esr

 

07. april 2020

 

Fixed

• Various stability and security fixes

 

 

Quote

 

Security Vulnerabilities fixed in Firefox ESR 68.7

Announced April 7, 2020

Impact high

Products Firefox ESR

Fixed in

• Firefox ESR 68.7

#CVE-2020-6828: Preference overwrite via crafted Intent from malicious Android application

Reporter fatal0

Impact high

Description

A malicious Android application could craft an Intent that would have been processed by Firefox for Android and potentially result in a file overwrite in the user's profile directory. One exploitation vector for this would be to supply a user.js file providing arbitrary malicious preference values. Control of arbitrary preferences can lead to sufficient compromise such that it is generally equivalent to arbitrary code execution.
Note: This issue only affects Firefox for Android. Other operating systems are unaffected.

References

• Bug 1617928

#CVE-2020-6827: Custom Tabs in Firefox for Android could have the URI spoofed

Reporter Juho Nurminen of Mattermost

Impact high

Description

When following a link that opened an intent://-schemed URL, causing a custom tab to be opened, Firefox for Android could be tricked into displaying the incorrect URI.
Note: This issue only affects Firefox for Android. Other operating systems are unaffected.

References

• Bug 1622278

#CVE-2020-6821: Uninitialized memory could be read when using the WebGL copyTexSubImage method

Reporter Jeff Gilbert, Kenneth Russell

Impact high

Description

When reading from areas partially or fully outside the source resource with WebGL's copyTexSubImage method, the specification requires the returned values be zero. Previously, this memory was uninitialized, leading to potentially sensitive data disclosure.

References

• Bug 1625404

#CVE-2020-6822: Out of bounds write in GMPDecodeData when processing large images

Reporter Deian Stefan

Impact moderate

Description

On 32-bit builds, an out of bounds write could have occurred when processing an image larger than 4 GB in GMPDecodeData. It is possible that with enough effort this could have been exploited to run arbitrary code.

References

• Bug 1544181

#CVE-2020-6825: Memory safety bugs fixed in Firefox 75 and Firefox ESR 68.7

Reporter Mozilla developers

Impact high

Description

Mozilla developers Tyson Smith and Christian Holler reported memory safety bugs present in Firefox 74 and Firefox ESR 68.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

References

• Memory safety bugs fixed in Firefox 75 and Firefox ESR 68.7

 

 

[trium]

ff v76.0

05. may 2020

 

New

• With today’s release, Firefox strengthens protections for your online account logins and passwords, with innovative approaches to managing your accounts during this critical time:

  • Firefox displays critical alerts in the Lockwise password manager when a website is breached;
  • If one of your accounts is involved in a website breach and you've used the same password on other websites, you will now be prompted to update your password. A key icon identifies which accounts use that vulnerable password.
  • Automatically generate secure, complex passwords for new accounts across more of the web that are easily saved right in the browser;
  • You have been able to access and see your saved passwords under Logins and Passwords easily under the main menu. If your device happens to be shared among your family or roommates, the latest update helps to prevent casual snooping over your shoulder. If you don’t have a master password set up for Firefox, Windows and macOS now requires a login to your operating system account before showing your saved passwords.

• Picture-in-Picture allows you to multitask, the small video window following along no matter what you are doing on your computer, across different applications and even workspaces. Now, when you are ready to focus on the video, a double click can take the small window into full screen. Double click again to reduce the size again.

• Firefox now supports Audio Worklets that will allow more complex audio processing like VR and gaming on the web; and is being adopted by some of your favorite software programs.

  • With this change, you can now join Zoom calls on Firefox without the need for any additional downloads.

• WebRender continues its roll out to more Firefox for Windows users, now available by default on modern Intel laptops with a small screen (<= 1920x1200) for improved graphics rendering.

 

Fixed

• Various security fixes

 

Changed

• Two updates to the address bar improve its usability and visibility:

  • The shadow around the address bar field is reduced in width when a new tab is opened;
  • The bookmarks toolbar has expanded slightly in size to improve its surface area for touchscreens.

 

Developer

Developer Information

• Testing mobile interactions using DevTools’ Responsive Design Mode now mimics the device behavior for handling double-tap to zoom. This builds on previous improvements to correctly rendering meta-viewport tags, allowing developers to optimize their sites for Firefox for Android without a device.

• Double-clicking table headers in DevTools’ network request table now resizes the column width to fit the content, making it easier to expand the important data.

• WebSocket inspection now supports ActionCable message preview, adding to the list of automatically formatted protocols like socket.io, SignalR, WAMP, etc.

 

unresolved

• Audio playback is currently not working when running the 32-bit Windows version of Firefox from a network drive. This will be addressed in an upcoming future Firefox release.

[trium]

ff v76.0.1

08. may 2020

Fixed

• Fixed a bug causing some add-ons such as Amazon Assistant to see multiple onConnect events, impairing functionality (bug 1635637)

• Fixed a crash on 32-bit Windows systems with some nVidia drivers installed (bug 1635823)

[trium]

ff v68.8.0 esr

05. may 2020

Fixed

• Various stability and security fixes

unresolved

• Audio playback is currently not working when running the 32-bit Windows version of Firefox ESR from a network drive. This will be addressed in the next major Firefox ESR release.

Quote

Security Vulnerabilities fixed in Firefox ESR 68.8

Announced May 5, 2020

Impact critical

Products Firefox ESR

Fixed in Firefox ESR 68.8

#CVE-2020-12387: Use-after-free during worker shutdown

Reporter Looben Yang

Impact critical

Description

A race condition when running shutdown code for Web Worker led to a use-after-free vulnerability. This resulted in a potentially exploitable crash.

References

• Bug 1545345

#CVE-2020-12388: Sandbox escape with improperly guarded Access Tokens

Reporter James Forshaw of Google Project Zero

Impact critical

Description

The Firefox content processes did not sufficiently lockdown access control which could result in a sandbox escape.
Note: this issue only affects Firefox on Windows operating systems.

References

• Bug 1618911

#CVE-2020-12389: Sandbox escape with improperly separated process types

Reporter Niklas Baumstark

Impact high

Description

The Firefox content processes did not sufficiently lockdown access control which could result in a sandbox escape.
Note: this issue only affects Firefox on Windows operating systems.

References

• Bug 1554110

#CVE-2020-6831: Buffer overflow in SCTP chunk input validation

Reporter Natalie Silvanovich of Google Project Zero

Impact high

Description

A buffer overflow could occur when parsing and validating SCTP chunks in WebRTC. This could have led to memory corruption and a potentially exploitable crash.

References

• Bug 1632241

#CVE-2020-12392: Arbitrary local file access with 'Copy as cURL'

Reporter Ophir LOJKINE

Impact moderate

Description

The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP POST data of a request, which can be controlled by the website. If a user used the 'Copy as cURL' feature and pasted the command into a terminal, it could have resulted in the disclosure of local files.

References

• Bug 1614468

#CVE-2020-12393: Devtools' 'Copy as cURL' feature did not fully escape website-controlled data, potentially leading to command injection

Reporter David Yesland

Impact moderate

Description

The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP method of a request, which can be controlled by the website. If a user used the 'Copy as cURL' feature and pasted the command into a terminal, it could have resulted in command injection and arbitrary command execution.
Note: this issue only affects Firefox on Windows operating systems.

References

• Bug 1615471

#CVE-2020-12395: Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8

Reporter Mozilla developers and community

Impact critical

Description

Mozilla developers and community members Alexandru Michis, Jason Kratzer, philipp, Ted Campbell, Bas Schouten, André Bargull, and Karl Tomlinson reported memory safety bugs present in Firefox 75 and Firefox ESR 68.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

References

• Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8

[trium]

ff v77.0

02 june 2020

 

New

• Pocket recommendations, featuring some of the best stories on the web, will appear on the Firefox new tab for our users in the UK. If you don’t see them, you can turn on Pocket articles in your new tab, follow these steps.

• WebRender continues its roll out to more Firefox for Windows users, now available by default on Windows 10 laptops running on Nvidia GPUs with medium (<= 3440x1440) and large screens (> 3440x1440).

• You can view and manage web certificates more easily on the new about:certificate page.

 

Fixed

• Various security fixes.

• A number of features have been fixed to improve Firefox accessibility.

  • The applications list in Firefox Options is now accessible to screen reader users.
  • Some live regions previously didn't report updated text with the JAWS screen reader. This issue has been fixed.
  • Date/time inputs are now no longer missing labels for users of accessibility tools.

 

Changed

• The browser.urlbar.oneOffSearches preference has been removed. To hide one-off search buttons uncheck search engines on the about:preferences#search page

 

Developer

Developer Information

• Significant improvements to JavaScript debugging make loading and stepping through sources faster and with less memory being used over time. Source map support also got a lot more reliable and will just work for a lot more cases.

• Added support for the JavaScript API String.prototype.replaceAll() which allows developers to return a new string with all matches to the provided pattern while preserving the original string.

[trium]

ff v77.0.1

03 june 2020

Fixed

• Disabled automatic selection of DNS over HTTPS providers during a test to enable wider deployment in a more controlled way (bug 1642723)

[trium]

ff v68.9.0 esr

02 june 2020

Fixed

• Various stability and security fixes

 

Quote

Security Vulnerabilities fixed in Firefox ESR 68.9

Announced June 2, 2020

Impact high

Products Firefox ESR

Fixed in Firefox ESR 68.9

#CVE-2020-12399: Timing attack on DSA signatures in NSS library

Reporter Cesar Pereida Garcia and the Network and Information Security Group (NISEC) at Tampere University

Impact high

Description

NSS has shown timing differences when performing DSA signatures, which was exploitable and could eventually leak private keys.

References

• Bug 1631576

#CVE-2020-12405: Use-after-free in SharedWorkerService

Reporter Marcin 'Icewall' Noga of Cisco Talos

Impact high

Description

When browsing a malicious page, a race condition in our SharedWorkerService could occur and lead to a potentially exploitable crash.

References

• Bug 1631618

#CVE-2020-12406: JavaScript Type confusion with NativeTypes

Reporter Iain Ireland

Impact high

Description

Mozilla developer Iain Ireland discovered a missing type check during unboxed objects removal, resulting in a crash. We presume that with enough effort that it could be exploited to run arbitrary code.

References

• Bug 1639590

#CVE-2020-12410: Memory safety bugs fixed in Firefox 77 and Firefox ESR 68.9

Reporter Mozilla developers

Impact high

Description

Mozilla developers Tom Tung and Karl Tomlinson reported memory safety bugs present in Firefox 76 and Firefox ESR 68.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

References

• Memory safety bugs fixed in Firefox 77 and Firefox ESR 68.9

 

[hazelnut]

New fat address bar.. in case anyone hates it.

https://www.askvg.com/tip-new-working-method-to-disable-enlarging-address-bar-in-mozilla-firefox/

[trium]

ff v78.0

30. june 2020

Quote

Firefox 78 is the last major release with support for macOS versions 10.9, 10.10 and 10.11. If you use one of these versions, you’ll be supported through Firefox ESR (Extended Support Release) 78.x for the coming year.

 

New

• The Protections Dashboard includes consolidated reports about tracking protection, data breaches, and password management. New features let you:

  • Track how many breaches you’ve resolved right from the dashboard
  • See if any of your saved passwords may have been exposed in a data breach

  To view your dashboard, type about:protections into the address bar, or select “Protections Dashboard” from the main menu.

• Because we know people try to fix problems by reinstalling Firefox when a simple refresh is more likely to solve the issue, we’ve added a Refresh button to the Uninstaller.

• With this release, your screen saver will no longer interrupt WebRTC calls on Firefox, making conference and video calling in Firefox better.

• We’ve rolled out WebRender to Windows users with Intel GPUs, bringing improved graphics performance to an even larger audience.

• Firefox 78 is also our Extended Support Release (ESR), where the changes made over the course of the previous 10 releases will now roll out to our ESR users. Some of the highlights are:

  • Kiosk mode
  • Client certificates
  • Service Worker and Push APIs are now enabled
  • The Block Autoplay feature is enabled
  • Picture-in-picture support
  • View and manage web certificates in about:certificate

• Pocket recommendations, featuring some of the best stories on the web, will now appear on the Firefox new tab for 100% of our users in the UK. If you don’t see them, you can turn on Pocket articles in your new tab, follow these steps.

 

Fixed

• Various security fixes.

• We fixed bugs in the search results quality composition and improved search result texts based on recommendations by our partners.

 

Changed

• The minimal system requirements on Linux have been updated. Firefox now needs GNU libc 2.17, libstdc++ 4.8.1 and GTK+ 3.14 or newer versions.

• As part of our ongoing effort to deprecate obsolete cryptography, we have disabled all remaining DHE-based TLS ciphersuites by default.

  • To mitigate web compatibility issues from disabling DHE-based TLS ciphersuites, Firefox 78 enables two more AES-GCM SHA2-based ciphersuites.

• We have disabled TLS 1.0 and TLS 1.1 to improve your website connections. Sites that don't support TLS version 1.2 will now show an error page.

• The context menu (accessed by right clicking on a tab) lets you undo multiple tab closings with a single click and places Close Tabs to the Right and Close Other Tabs in a submenu.

• A number of accessibility improvements have been made with this release.

  • When using the JAWS screen reader, pressing the down arrow in an HTML input control with a datalist no longer incorrectly moves the cursor to the next element after the input control.
  • Screen readers no longer severely lag or freeze when focusing the microphone/camera/screen sharing indicator.
  • Large tables with thousands of rows now load much faster for screen reader users.
  • Text input controls with custom styling now correctly show the focus outline when appropriate.
  • Screen readers no longer sometimes incorrectly switch to document browsing mode unexpectedly when the user enters the main Developer Tools window.
  • We reduced a number of animations such as tab hover, search bar expansion, and others to reduce motion for users with migraines and epilepsy.

 

Enterprise

• Enable support for client certificates stored on macOS and Windows by setting the experimental preference security.osclientcerts.autoload to true.

• New policies allow you to configure application handlers, disable picture in picture, and require a master password, which will be renamed to ‘primary password’ in future releases.

• More details in the Firefox for Enterprise 78 release notes

 

Developer

Developer Information

• DevTools Console now logs uncaught promise errors with much more detailed names, stacks, and properties, particularly improving JavaScript framework debugging.

• Debugger’s automatic mapping for minified variable names now also works for Logpoints, which makes debugger of source-mapped projects feel more seamless.

• The Firefox DevTools’ Network panel now highlights which extension or CORS restriction blocked a request, so developers can make their sites more resilient and secure.

• New RegExp engine in SpiderMonkey, adding support for the dotAll flag, Unicode escape sequences, lookbehind references, and named captures.

[trium]

ff v78.0.1

1. july 2020

Fixed

• Fixed an issue which could cause installed search engines to not be visible when upgrading from a previous release.

[trium]

ff v68.10.0 esr

30. june 2020

Fixed

• Various stability and security fixes

 

Quote

Security Vulnerabilities fixed in Firefox ESR 68.10

Announced June 30, 2020

Impact high

Products Firefox ESR

Fixed in Firefox ESR 68.10

 

#CVE-2020-12417: Memory corruption due to missing sign-extension for ValueTags on ARM64

Reporter Deian Stefan

Impact high

Description

Due to confusion about ValueTags on JavaScript Objects, an object may pass through the type barrier, resulting in memory corruption and a potentially exploitable crash.
Note: this issue only affects Firefox on ARM64 platforms.

References

• Bug 1640737

#CVE-2020-12418: Information disclosure due to manipulated URL object

Reporter Marcin 'Icewall' Noga of Cisco Talos

Impact high

Description

Manipulating individual parts of a URL object could have caused an out-of-bounds read, leaking process memory to malicious JavaScript.

References

• Bug 1641303

#CVE-2020-12419: Use-after-free in nsGlobalWindowInner

Reporter worcester12345

Impact high

Description

When processing callbacks that occurred during window flushing in the parent process, the associated window may die; causing a use-after-free condition. This could have led to memory corruption and a potentially exploitable crash.

References

• Bug 1643874

#CVE-2020-12420: Use-After-Free when trying to connect to a STUN server

Reporter Byron Campen

Impact high

Description

When trying to connect to a STUN server, a race condition could have caused a use-after-free of a pointer, leading to memory corruption and a potentially exploitable crash.

References

• Bug 1643437

#CVE-2020-12421: Add-On updates did not respect the same certificate trust rules as software updates

Reporter Chuck Harmston, Robert Hardy

Impact moderate

Description

When performing add-on updates, certificate chains terminating in non-built-in-roots were rejected (even if they were legitimately added by an administrator.) This could have caused add-ons to become out-of-date silently without notification to the user.

References

• Bug 1308251

 

[trium]

ff v78.0 esr -> new ESR-Line

30. june 2020

New

• Some of the highlights of the new Extended Support Release are:

  • Kiosk mode
  • Client certificates
  • Service Worker and Push APIs are now enabled
  • The Block Autoplay feature is enabled
  • Picture-in-picture support
  • View and manage web certificates in about:certificate

  For more information about what's new in the Firefox 78 ESR release, see the more detailed release notes at support.mozilla.org.

 

Developer

Developer Information

[trium]

ff v78.0.1 esr

01. july 2020

Fixed

• Fixed an issue which could cause installed search engines to not be visible when upgrading from a previous release.

[Winapp2.ini]

If you use a temporary-containers style of browsing in firefox (new containers spawned and destroyed per-tab-tree if the initial url isn't pre configured to open in a specific container already) take care that they're not being retained

I recently discovered that something had caused my multi-account containers to retain several hundred containers that were meant to be destroyed when their last tab had been closed. It was causing some severe overhead on startup and when opening new tabs until I removed them manually