ISN 2023-02: Firefox ESR Vulnerabilities

First published 22 March 2023

CVSS 3.1 high

CVSS:3.1 n/a

Summary

Firefox ESR version 91.13.0, which has been in IGEL OS 11 since 11.08.200, has been found to have several vulnerabilities rated high.

• IGEL OS 11

Details

The vulnerabilities found include that the Content-Security-Policy-Report-Only header could allow an attacker to leak a child iframe's unredacted URI when interaction with that iframe triggers a redirect (high, CVE-2023-25728). A background script invoking requestFullscreen and then blocking the main thread could force the browser into fullscreen mode indefinitely, resulting in potential user confusion or spoofing attacks (high, CVE-2023-25730).

In addition, there are arbitrary file reads from GTK drag and drop (high, CVE-2023-23598) and from a compromised content process that partially escaped the sandbox (high, CVE-2022-46872). A same-origin policy violation could leak cross-origin URLs (high, CVE-2022-42927).

Firefox ESR version 91.13.0 is also affected by memory safety bugs that can lead to application crashes or to the execution of arbitrary code.

Update Instructions

• Update to IGEL OS 11.08.290 which has Firefox ESR version 102.8.0 (available in March 2023).

References

• Mozilla Foundation Security Advisory 2023-06: https://www.mozilla.org/en-US/security/advisories/mfsa2023-06/
• Mozilla Foundation Security Advisory 2023-02: https://www.mozilla.org/en-US/security/advisories/mfsa2023-02/
• Mozilla Foundation Security Advisory 2022-52: https://www.mozilla.org/en-US/security/advisories/mfsa2022-52/
• Mozilla Foundation Security Advisory 2022-48: https://www.mozilla.org/en-US/security/advisories/mfsa2022-48/
• Mozilla Foundation Security Advisory 2022-45: https://www.mozilla.org/en-US/security/advisories/mfsa2022-45/
• Mozilla Foundation Security Advisory 2022-41: https://www.mozilla.org/en-US/security/advisories/mfsa2022-41/