Download Firefox

Firefox is no longer supported on Windows 8.1 and below.

Please download Firefox ESR (Extended Support Release) to use Firefox.

Firefox is no longer supported on macOS 10.14 and below.

Please download Firefox ESR (Extended Support Release) to use Firefox.

Firefox Privacy Notice

Mozilla Foundation Security Advisory 2022-19

Security Vulnerabilities fixed in Firefox 100.0.2, Firefox for Android 100.3.0, Firefox ESR 91.9.1, Thunderbird 91.9.1

Announced
May 20, 2022
Impact
critical
Products
Firefox, Firefox ESR, Firefox for Android, Thunderbird
Fixed in
  • Firefox 100.0.2
  • Firefox ESR 91.9.1
  • Firefox for Android 100.3
  • Thunderbird 91.9.1

#CVE-2022-1802: Prototype pollution in Top-Level Await implementation

Reporter
Manfred Paul via Trend Micro's Zero Day Initiative
Impact
critical
Description

If an attacker was able to corrupt the methods of an Array object in JavaScript via prototype pollution, they could have achieved execution of attacker-controlled JavaScript code in a privileged context.

References

#CVE-2022-1529: Untrusted input used in JavaScript object indexing, leading to prototype pollution

Reporter
Manfred Paul via Trend Micro's Zero Day Initiative
Impact
critical
Description

An attacker could have sent a message to the parent process where the contents were used to double-index into a JavaScript object, leading to prototype pollution and ultimately attacker-controlled JavaScript executing in the privileged parent process.

References