Skip to main content
Skip table of contents

ISN 2024-13: Firefox ESR Vulnerabilities

First published 18 June 2024

CVSS 3.1: 7.5 (high)

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

Multiple security vulnerabilities have been found in the Firefox ESR web browser used in IGEL OS. This affects the following IGEL products:

  • IGEL OS 12

  • IGEL OS 11

Details

A vulnerability has been discoveres in PDF.js, the component Firefox uses to render PDF files: JavaScript embedded into the PDF document is executed in the context of the hosting domain (CVE-2024-4367, high). In IGEL OS 11 this is already mitigated by the fact that Firefox ESR opens PDF files in the external PDF viewer, but the Firefox ESR App for OS 12 is fully affected.

Further issues rated high were found in the JIT component: GetBoundName returning the wrong object (CVE-2024-3852), an out-of-bounds-read occurring after a mis-optimized switch statement (CVE-2024-3854), and potential use-after-free crashes during garbage collection (CVE-2024-3857). Additionally, a memory safety bug came to light, which showed evidence of memory corruption and could potentially be exploited to run arbitrary code (CVE-2024-3864, high).

Update Instructions

  • OS 12: Update to the Firefox ESR app version 115.11 or newer when it is available in the App Portal.

  • OS 11: Update to the upcoming IGEL OS 11.10.150.

References

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.