* Fixed a bug with displaying a caret in the text editor on some websites
(bmo#1840804)
* Fixed a bug with broken audio rendering on some websites (bmo#1841982)
* Fixed a bug with patternTransform translate using the wrong units
(bmo#1840746)
MFSA 2023-26 (bsc#1213230)
* CVE-2023-3600 (bmo#1839703)
Use-after-free in workers
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=1075
* Support for importing payment methods saved in Chrome-based browser
* Hardware video decoding is now enabled for Intel GPUs on Linux
* The Tab Manager dropdown now features close buttons, so tabs
can be closed more quickly
* Streamlined the user interface for importing data in from other browsers
* Users without platform support for H264 video decoding can now
fallback to Cisco's OpenH264 plugin for playback.
* Undo and redo are now available in Password fields
* Changed: On Linux, middle clicks on the new tab button will
now open the xclipboard contents in the new tab. If the
xclipboard content is a URL then that URL is opened, any
other text is opened with your default search provider.
* Changed: For users with a Firefox Colorways built-in theme,
the theme will be automatically migrated to the same theme
hosted on addons.mozilla.org for Firefox profiles that have
disabled add-ons auto-updates. This will allow users to keep
their Colorways theme when they are later removed from
Firefox installer files.
* Changed: Certain Firefox users may come across a message in
the extensions panel indicating that their add-ons are not
allowed on the site currently open. We have introduced a new
back-end feature to only allow some extensions monitored by
Mozilla to run on specific websites for various reasons,
including security concerns.
* HTML5: The builtin editor now behaves similarly to other
browsers with `contenteditable` and `designMode` when
splitting a node, e.g. typing Enter to split a paragraph, and
also when joining two nodes, e.g. typing Backspace at the
start of a paragraph to join the paragraph and the previous
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=1071
* https://www.mozilla.org/en-US/firefox/112.0/releasenotes/
MFSA 2023-13 (bsc#1210212)
* CVE-2023-29531 (bmo#1794292)
Out-of-bound memory access in WebGL on macOS
* CVE-2023-29532 (bmo#1806394)
Mozilla Maintenance Service Write-lock bypass
* CVE-2023-29533 (bmo#1798219, bmo#1814597)
Fullscreen notification obscured
* CVE-2023-29534 (bmo#1816007, bmo#1816059, bmo#1821155, bmo#1821576,
bmo#1821906, bmo#1822298, bmo#1822305)
Fullscreen notification could have been obscured on Firefox
for Android
* MFSA-TMP-2023-0001 (bmo#1819244)
Double-free in libwebp
* CVE-2023-29535 (bmo#1820543)
Potential Memory Corruption following Garbage Collector compaction
* CVE-2023-29536 (bmo#1821959)
Invalid free from JavaScript code
* CVE-2023-29537 (bmo#1823365, bmo#1824200, bmo#1825569)
Data Races in font initialization code
* CVE-2023-29538 (bmo#1685403)
Directory information could have been leaked to WebExtensions
* CVE-2023-29539 (bmo#1784348)
Content-Disposition filename truncation leads to Reflected
File Download
* CVE-2023-29540 (bmo#1790542)
Iframe sandbox bypass using redirects and sourceMappingUrls
* CVE-2023-29541 (bmo#1810191)
Files with malicious extensions could have been downloaded
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=1051
* https://www.mozilla.org/en-US/firefox/111.0/releasenotes
MFSA 2023-09 (bsc#1209173)
* CVE-2023-28159 (bmo#1783561)
Fullscreen Notification could have been hidden by download
popups on Android
* CVE-2023-25748 (bmo#1798798)
Fullscreen Notification could have been hidden by window
prompts on Android
* CVE-2023-25749 (bmo#1810705)
Firefox for Android may have opened third-party apps without
a prompt
* CVE-2023-25750 (bmo#1814733)
Potential ServiceWorker cache leak during private browsing mode
* CVE-2023-25751 (bmo#1814899)
Incorrect code generation during JIT compilation
* CVE-2023-28160 (bmo#1802385)
Redirect to Web Extension files may have leaked local path
* CVE-2023-28164 (bmo#1809122)
URL being dragged from a removed cross-origin iframe into the
same tab triggered navigation
* CVE-2023-28161 (bmo#1811181)
One-time permissions granted to a local file were extended to
other local files loaded in the same tab
* CVE-2023-28162 (bmo#1811327)
Invalid downcast in Worklets
* CVE-2023-25752 (bmo#1811627)
Potential out-of-bounds when accessing throttled streams
* CVE-2023-28163 (bmo#1817768)
Windows Save As dialog resolved environment variables
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=1046
* https://www.mozilla.org/en-US/firefox/110.0/releasenotes
MFSA 2023-05 (bsc#1208144)
* CVE-2023-25728 (bmo#1790345)
Content security policy leak in violation reports using iframes
* CVE-2023-25730 (bmo#1794622)
Screen hijack via browser fullscreen mode
* CVE-2023-25743 (bmo#1800203)
Fullscreen notification not shown in Firefox Focus
* CVE-2023-0767 (bmo#1804640)
Arbitrary memory write via PKCS 12 in NSS
* CVE-2023-25735 (bmo#1810711)
Potential use-after-free from compartment mismatch in SpiderMonkey
* CVE-2023-25737 (bmo#1811464)
Invalid downcast in SVGUtils::SetupStrokeGeometry
* CVE-2023-25738 (bmo#1811852)
Printing on Windows could potentially crash Firefox with some
device drivers
* CVE-2023-25739 (bmo#1811939)
Use-after-free in mozilla::dom::ScriptLoadContext::~ScriptLoadContext
* CVE-2023-25729 (bmo#1792138)
Extensions could have opened external schemes without user knowledge
* CVE-2023-25732 (bmo#1804564)
Out of bounds memory write from EncodeInputStream
* CVE-2023-25734 (bmo#1784451, bmo#1809923, bmo#1810143, bmo#1812338)
Opening local .url files could cause unexpected network loads
* CVE-2023-25740 (bmo#1812354)
Opening local .scf files could cause unexpected network loads
* CVE-2023-25731 (bmo#1801542)
Prototype pollution when rendering URLPreview
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=1037
MFSA 2023-01 (bsc#1207119)
* CVE-2023-23597 (bmo#1538028)
Logic bug in process allocation allowed to read arbitrary
files
* CVE-2023-23598 (bmo#1800425)
Arbitrary file read from GTK drag and drop on Linux
* CVE-2023-23599 (bmo#1777800)
Malicious command could be hidden in devtools output on
Windows
* CVE-2023-23600 (bmo#1787034)
Notification permissions persisted between Normal and Private
Browsing on Android
* CVE-2023-23601 (bmo#1794268)
URL being dragged from cross-origin iframe into same tab
triggers navigation
* CVE-2023-23602 (bmo#1800890)
Content Security Policy wasn't being correctly applied to
WebSockets in WebWorkers
* CVE-2023-23603 (bmo#1800832)
Calls to <code>console.log</code> allowed bypasing Content
Security Policy via format directive
* CVE-2023-23604 (bmo#1802346)
Creation of duplicate <code>SystemPrincipal</code> from less
secure contexts
* CVE-2023-23605 (bmo#1764921, bmo#1802690, bmo#1806974)
Memory safety bugs fixed in Firefox 109 and Firefox ESR 102.7
* CVE-2023-23606 (bmo#1764974, bmo#1798591, bmo#1799201,
bmo#1800446, bmo#1801248, bmo#1802100, bmo#1803393,
bmo#1804626, bmo#1804971, bmo#1807004)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=1033
https://www.mozilla.org/en-US/firefox/108.0/releasenotes/
MFSA 2022-51 (bsc#1206242)
* CVE-2022-46871 (bmo#1795697)
libusrsctp library out of date
* CVE-2022-46872 (bmo#1799156)
Arbitrary file read from a compromised content process
* CVE-2022-46873 (bmo#1644790)
Firefox did not implement the CSP directive unsafe-hashes
* CVE-2022-46874 (bmo#1746139)
Drag and Dropped Filenames could have been truncated to
malicious extensions
* CVE-2022-46875 (bmo#1786188)
Download Protections were bypassed by .atloc and .ftploc
files on Mac OS
* CVE-2022-46877 (bmo#1795139)
Fullscreen notification bypass
* CVE-2022-46878 (bmo#1782219, bmo#1797370, bmo#1797685,
bmo#1801102, bmo#1801315, bmo#1802395)
Memory safety bugs fixed in Firefox 108 and Firefox ESR 102.6
* CVE-2022-46879 (bmo#1736224, bmo#1793407, bmo#1794249, bmo#1795845,
bmo#1797682, bmo#1797720, bmo#1798494, bmo#1799479)
Memory safety bugs fixed in Firefox 108
- requires
NSS >= 3.85
rustc/cargo 1.65
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=1024
MFSA 2022-47 (bsc#1205270)
* CVE-2022-45403 (bmo#1762078)
Service Workers might have learned size of cross-origin media files
* CVE-2022-45404 (bmo#1790815)
Fullscreen notification bypass
* CVE-2022-45405 (bmo#1791314)
Use-after-free in InputStream implementation
* CVE-2022-45406 (bmo#1791975)
Use-after-free of a JavaScript Realm
* CVE-2022-45407 (bmo#1793314)
Loading fonts on workers was not thread-safe
* CVE-2022-45408 (bmo#1793829)
Fullscreen notification bypass via windowName
* CVE-2022-45409 (bmo#1796901)
Use-after-free in Garbage Collection
* CVE-2022-45410 (bmo#1658869)
ServiceWorker-intercepted requests bypassed SameSite cookie policy
* CVE-2022-45411 (bmo#1790311)
Cross-Site Tracing was possible via non-standard override headers
* CVE-2022-45412 (bmo#1791029)
Symlinks may resolve to partially uninitialized buffers
* CVE-2022-45413 (bmo#1791201)
SameSite=Strict cookies could have been sent cross-site via
intent URLs
* CVE-2022-40674 (bmo#1791598)
Use-after-free vulnerability in expat
* CVE-2022-45415 (bmo#1793551)
Downloaded file may have been saved with malicious extension
* CVE-2022-45416 (bmo#1793676)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=1019
