Mozilla Foundation Security Advisory 2021-20

Security Vulnerabilities fixed in Firefox 88.0.1, Firefox for Android 88.1.3

Announced

May 5, 2021

Impact

critical

Products

Firefox, Firefox for Android

Fixed in

Firefox 88.0.1
Firefox for Android 88.1.3

#CVE-2021-29953: Universal Cross-Site Scripting via pop-up prompts

Reporter: Wladimir Palant working with Include Security
Impact: critical

Description

By triggering multiple pop-up prompts containing javascript: URLs, a malicious webpage could have forced a Firefox for Android user into executing attacker-controlled JavaScript in the context of another domain, resulting in a Universal Cross-Site Scripting vulnerability.
Note: This issue only affected Firefox for Android. Other operating systems are unaffected.

References

Bug 1701684

#CVE-2021-29952: Race condition in Web Render Components

Reporter: Tyson Smith
Impact: high

Description

When Web Render components were destructed, a race condition could have caused undefined behavior, and we presume that with enough effort may have been exploitable to run arbitrary code.

References

Bug 1704227

Firefox for Desktop

Firefox for iOS

Firefox for Android

Firefox Focus

Firefox blog

Mozilla VPN

Mozilla Monitor

Firefox Relay

Pocket

MDN Plus

Fakespot

Thunderbird

About Mozilla

The Mozilla Manifesto

Get Involved

Innovation Projects

Blog

Mozilla Foundation

Mozilla.ai

Mozilla Ventures

Mozilla Advertising

Mozilla Foundation Security Advisory 2021-20

Security Vulnerabilities fixed in Firefox 88.0.1, Firefox for Android 88.1.3

#CVE-2021-29953: Universal Cross-Site Scripting via pop-up prompts

Description

References

#CVE-2021-29952: Race condition in Web Render Components

Description

References