Mozilla Foundation Security Advisory 2024-65

Security Vulnerabilities fixed in Firefox ESR 115.18

Announced
November 26, 2024
Impact
high
Products
Firefox ESR
Fixed in
  • Firefox ESR 115.18

#CVE-2024-11691: Out-of-bounds write in Apple GPU drivers via WebGL

Reporter
Dohyun Lee (@l33d0hyun) of USELab, Korea University & Youngho Choi of CEL, Korea University & Geumhwan Cho of USELab, Korea University
Impact
high
Description

Certain WebGL operations on Apple silicon M series devices could have lead to an out-of-bounds write and memory corruption due to a flaw in Apple's GPU driver.
This bug only affected the application on Apple M series hardware. Other platforms were unaffected.

References

#CVE-2024-11694: CSP Bypass and XSS Exposure via Web Compatibility Shims

Reporter
Masato Kinugawa
Impact
moderate
Description

Enhanced Tracking Protection's Strict mode may have inadvertently allowed a CSP frame-src bypass and DOM-based XSS through the Google SafeFrame shim in the Web Compatibility extension. This issue could have exposed users to malicious frames masquerading as legitimate content.

References