Vulnerability Level: High
CVE-No’s:
- CVE-2020-12399
- CVE-2020-12405
- CVE-2020-12406
- CVE-2020-12407
- CVE-2020-12408
- CVE-2020-12409
- CVE-2020-12410
- CVE-2020-12411
Risks:
- Timing Attack on DSA signatures.
- When browsing a malicious page, a race condition in our SharedWorkerService could occur and lead to a potentially exploitable crash.
- a missing type check during unboxed objects removal, resulting in a crash. With enough effort that it could be exploited to run arbitrary code.
- when using WebRender, Firefox would under certain conditions leak arbitrary GPU memory to the visible screen. The leaked memory content was visible to the user, but not observable from web content.
- When browsing a document hosted on an IP address, an attacker could insert certain characters to flip domain and path information in the address bar.
- When using certain blank characters in a URL, they where incorrectly rendered as spaces instead of an encoded URL.
- memory safety bugs present in Firefox 76 and Firefox ESR 68.8. Some of these bugs showed evidence of memory corruption and with enough effort some of these could have been exploited to run arbitrary code.
- memory safety bugs present in Firefox 76. Some of these bugs showed evidence of memory corruption and with enough effort some of these could have been exploited to run arbitrary code.
Vulnerable Parties: Anyone or any company using Mozilla Firefox version upto 76.* .
Products vulnerable: Mozilla Firefox version upto 76.
Recommendation: Mozilla has released an update to Firefox version 77 which resolves all the issues mentioned above.
Documentation: For more details visit here:
https://www.mozilla.org/en-US/security/advisories/mfsa2020-20/