Mozilla Foundation Security Advisory 2021-20

Security Vulnerabilities fixed in Firefox 88.0.1, Firefox for Android 88.1.3

Announced
May 5, 2021
Impact
critical
Products
Firefox, Firefox for Android
Fixed in
  • Firefox 88.0.1
  • Firefox for Android 88.1.3

#CVE-2021-29953: Universal Cross-Site Scripting

Reporter
Wladimir Palant working with Include Security
Impact
critical
Description

A malicious webpage could have forced a Firefox for Android user into executing attacker-controlled JavaScript in the context of another domain, resulting in a Universal Cross-Site Scripting vulnerability.
Note: This issue only affected Firefox for Android. Other operating systems are unaffected. Further details are being temporarily withheld to allow users an opportunity to update.

References

#CVE-2021-29952: Race condition in Web Render Components

Reporter
Tyson Smith
Impact
high
Description

When Web Render components were destructed, a race condition could have caused undefined behavior, and we presume that with enough effort may have been exploitable to run arbitrary code.

References