Mozilla Foundation has released Firefox 115 to its stable channel. The update addresses several high-level vulnerabilities.
One of them, CVE-2023-37201, involved a use-after-free issue in WebRTC certificate generation.
“An attacker could have triggered a use-after-free condition when creating a WebRTC connection over HTTPS,” Mozilla wrote.
Another, CVE-2023-37202, is a use-after-free vulnerability resulting from a compartment mismatch in SpiderMonkey (the JavaScript engine used by Firefox).
“Cross-compartment wrappers wrapping a scripted proxy could have caused objects from other compartments to be stored in the main compartment resulting in a use-after-free,” reads the advisory.
Meanwhile, CVE-2023-37211 highlighted the memory safety bugs that were fixed in Firefox 115, ESR 102.13 and Thunderbird 102.13. Similarly, CVE-2023-37212 pertains to memory safety bugs fixed specifically in Firefox 115.
“Some of these bugs showed evidence of memory corruption, and we presume that with enough effort, some of these could have been exploited to run arbitrary code,” the company wrote.
These include CVE-2023-3482, which addressed a bypass for blocking cookies in local storage; CVE-2023-37203, which addressed potential access to local system files through the Drag and Drop API; and CVE-2023-37204, which addressed the obscuring of full-screen notifications.
Also, CVE-2023-37205, which addressed URL spoofing in the address bar using RTL characters; CVE-2023-37206, which addressed insufficient validation of symlinks in the FileSystem API; and CVE-2023-37207, which addressed the obscuring of full-screen notifications.
Finally, CVE-2023-37208, which addressed the lack of warning when opening Diagcab files; CVE-2023-37209, which addressed a use-after-free issue; and CVE-2023-37210, which addressed full-screen mode exit prevention.
Mozilla recommended that users promptly update their Firefox browser to version 115 to benefit from these crucial bug fixes and maintain a secure browsing environment.
The patches come weeks after Microsoft published its monthly Patch Tuesday roundup.
Source: www.infosecurity-magazine.com