Firefox ESR version 91.13.0, which has been in IGEL OS 11 since 11.08.200, has been found to have several vulnerabilities rated high.
IGEL OS 11
Details
The vulnerabilities found include that the Content-Security-Policy-Report-Only header could allow an attacker to leak a child iframe's unredacted URI when interaction with that iframe triggers a redirect (high, CVE-2023-25728). A background script invoking requestFullscreen and then blocking the main thread could force the browser into fullscreen mode indefinitely, resulting in potential user confusion or spoofing attacks (high, CVE-2023-25730).
In addition, there are arbitrary file reads from GTK drag and drop (high, CVE-2023-23598) and from a compromised content process that partially escaped the sandbox (high, CVE-2022-46872). A same-origin policy violation could leak cross-origin URLs (high, CVE-2022-42927).
Firefox ESR version 91.13.0 is also affected by memory safety bugs that can lead to application crashes or to the execution of arbitrary code.
Update Instructions
Update to IGEL OS 11.08.290 which has Firefox ESR version 102.8.0 (available in March 2023).