* https://www.mozilla.org/en-US/firefox/110.0/releasenotes
MFSA 2023-05 (bsc#1208144)
* CVE-2023-25728 (bmo#1790345)
Content security policy leak in violation reports using iframes
* CVE-2023-25730 (bmo#1794622)
Screen hijack via browser fullscreen mode
* CVE-2023-25743 (bmo#1800203)
Fullscreen notification not shown in Firefox Focus
* CVE-2023-0767 (bmo#1804640)
Arbitrary memory write via PKCS 12 in NSS
* CVE-2023-25735 (bmo#1810711)
Potential use-after-free from compartment mismatch in SpiderMonkey
* CVE-2023-25737 (bmo#1811464)
Invalid downcast in SVGUtils::SetupStrokeGeometry
* CVE-2023-25738 (bmo#1811852)
Printing on Windows could potentially crash Firefox with some
device drivers
* CVE-2023-25739 (bmo#1811939)
Use-after-free in mozilla::dom::ScriptLoadContext::~ScriptLoadContext
* CVE-2023-25729 (bmo#1792138)
Extensions could have opened external schemes without user knowledge
* CVE-2023-25732 (bmo#1804564)
Out of bounds memory write from EncodeInputStream
* CVE-2023-25734 (bmo#1784451, bmo#1809923, bmo#1810143, bmo#1812338)
Opening local .url files could cause unexpected network loads
* CVE-2023-25740 (bmo#1812354)
Opening local .scf files could cause unexpected network loads
* CVE-2023-25731 (bmo#1801542)
Prototype pollution when rendering URLPreview
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=1037
MFSA 2023-01 (bsc#1207119)
* CVE-2023-23597 (bmo#1538028)
Logic bug in process allocation allowed to read arbitrary
files
* CVE-2023-23598 (bmo#1800425)
Arbitrary file read from GTK drag and drop on Linux
* CVE-2023-23599 (bmo#1777800)
Malicious command could be hidden in devtools output on
Windows
* CVE-2023-23600 (bmo#1787034)
Notification permissions persisted between Normal and Private
Browsing on Android
* CVE-2023-23601 (bmo#1794268)
URL being dragged from cross-origin iframe into same tab
triggers navigation
* CVE-2023-23602 (bmo#1800890)
Content Security Policy wasn't being correctly applied to
WebSockets in WebWorkers
* CVE-2023-23603 (bmo#1800832)
Calls to <code>console.log</code> allowed bypasing Content
Security Policy via format directive
* CVE-2023-23604 (bmo#1802346)
Creation of duplicate <code>SystemPrincipal</code> from less
secure contexts
* CVE-2023-23605 (bmo#1764921, bmo#1802690, bmo#1806974)
Memory safety bugs fixed in Firefox 109 and Firefox ESR 102.7
* CVE-2023-23606 (bmo#1764974, bmo#1798591, bmo#1799201,
bmo#1800446, bmo#1801248, bmo#1802100, bmo#1803393,
bmo#1804626, bmo#1804971, bmo#1807004)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=1033
* You can now toggle Narrate in ReaderMode with the keyboard
shortcut "n."
* You can find added support for search—with or without
diacritics—in the PDF viewer.
* The Linux sandbox has been strengthened: processes exposed to web
content no longer have access to the X Window system (X11).
* Firefox now supports credit card autofill and capture in
Germany and France.
MFSA 2022-13 (bsc#1197903)
* CVE-2022-1097 (bmo#1745667)
Use-after-free in NSSToken objects
* CVE-2022-28281 (bmo#1755621)
Out of bounds write due to unexpected WebAuthN Extensions
* CVE-2022-28282 (bmo#1751609)
Use-after-free in DocumentL10n::TranslateDocument
* CVE-2022-28283 (bmo#1754066)
Missing security checks for fetching sourceMapURL
* CVE-2022-28284 (bmo#1754522)
Script could be executed via svg's use element
* CVE-2022-28285 (bmo#1756957)
Incorrect AliasSet used in JIT Codegen
* CVE-2022-28286 (bmo#1735265)
iframe contents could be rendered outside the border
* CVE-2022-28287 (bmo#1741515)
Text Selection could crash Firefox
* CVE-2022-24713 (bmo#1758509)
Denial of Service via complex regular expressions
* CVE-2022-28289 (bmo#1663508, bmo#1744525, bmo#1753508,
bmo#1757476, bmo#1757805, bmo#1758549, bmo#1758776)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=970
* https://www.mozilla.org/en-US/firefox/96.0/releasenotes
MFSA 2022-01 (bsc#1194547)
* CVE-2022-22746 (bmo#1735071)
Calling into reportValidity could have lead to fullscreen
window spoof
* CVE-2022-22743 (bmo#1739220)
Browser window spoof using fullscreen mode
* CVE-2022-22742 (bmo#1739923)
Out-of-bounds memory access when inserting text in edit mode
* CVE-2022-22741 (bmo#1740389)
Browser window spoof using fullscreen mode
* CVE-2022-22740 (bmo#1742334)
Use-after-free of ChannelEventQueue::mOwner
* CVE-2022-22738 (bmo#1742382)
Heap-buffer-overflow in blendGaussianBlur
* CVE-2022-22737 (bmo#1745874)
Race condition when playing audio files
* CVE-2021-4140 (bmo#1746720)
Iframe sandbox bypass with XSLT
* CVE-2022-22750 (bmo#1566608)
IPC passing of resource handles could have lead to sandbox
bypass
* CVE-2022-22749 (bmo#1705094)
Lack of URL restrictions when scanning QR codes
* CVE-2022-22748 (bmo#1705211)
Spoofed origin on external protocol launch dialog
* CVE-2022-22745 (bmo#1735856)
Leaking cross-origin URLs through securitypolicyviolation
event
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=951
* You can now move the Picture-in-Picture toggle button to the
opposite side of the video. Simply look for the new context menu
option Move Picture-in-Picture Toggle to Left (Right) Side.
* To better protect Firefox users against side-channel attacks such
as Spectre, Site Isolation is now enabled for all Firefox 95 users.
* https://www.mozilla.org/en-US/firefox/95.0/releasenotes
MFSA 2021-52 (bsc#1193485)
* CVE-2021-43536 (bmo#1730120)
URL leakage when navigating while executing asynchronous
function
* CVE-2021-43537 (bmo#1738237)
Heap buffer overflow when using structured clone
* CVE-2021-43538 (bmo#1739091)
Missing fullscreen and pointer lock notification when
requesting both
* CVE-2021-43539 (bmo#1739683)
GC rooting failure when calling wasm instance methods
* MOZ-2021-0010 (bmo#1735852)
Use-after-free in fullscreen objects on MacOS
* CVE-2021-43540 (bmo#1636629)
WebExtensions could have installed persistent ServiceWorkers
* CVE-2021-43541 (bmo#1696685)
External protocol handler parameters were unescaped
* CVE-2021-43542 (bmo#1723281)
XMLHttpRequest error codes could have leaked the existence of
an external protocol handler
* CVE-2021-43543 (bmo#1738418)
Bypass of CSP sandbox directive when embedding
* CVE-2021-43544 (bmo#1739934)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=947
* New: PDF forms now support JavaScript embedded in PDF files.
Some PDF forms use JavaScript for validation and other
interactive features
* New: Print updates: Margin units are now localized
* New: Smooth pinch-zooming using a touchpad is now supported
on Linux
* New: To protect against cross-site privacy leaks, Firefox now
isolates window.name data to the website that created it.
Learn more
* Changed: Firefox will not prompt for access to your
microphone or camera if you’ve already granted access to the
same device on the same site in the same tab within the past
50 seconds. This new grace period reduces the number of times
you’re prompted to grant device access
* Changed: The ‘Take a Screenshot’ feature was removed from the
Page Actions menu in the url bar. To take a screenshot,
right-click to open the context menu. You can also add a
screenshots shortcut directly to your toolbar via the
Customize menu. Open the Firefox menu and select Customize…
* Changed: FTP support has been disabled, and its full removal
is planned for an upcoming release. Addressing this security
risk reduces the likelihood of an attack while also removing
support for a non-encrypted protocol
* Developer: Introduced a new toggle button in the Network
panel for switching between JSON formatted HTTP response and
raw data (as received over the wire).
!enter image description here
* Enterprise: Various bug fixes and new policies have been
implemented in the latest version of Firefox. You can see
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=904
* requires NSS >= 3.61
* requires rust-cbindgen >= 0.16.0
* Firefox now supports simultaneously watching multiple videos in
Picture-in-Picture.
* Total Cookie Protection to Strict Mode
* https://www.mozilla.org/en-US/firefox/86.0/releasenotes
MSFA 2021-07 (bsc#1182614)
* CVE-2021-23969 (bmo#1542194)
Content Security Policy violation report could have contained
the destination of a redirect
* CVE-2021-23970 (bmo#1681724)
Multithreaded WASM triggered assertions validating separation
of script domains
* CVE-2021-23968 (bmo#1687342)
Content Security Policy violation report could have contained
the destination of a redirect
* CVE-2021-23974 (bmo#1528997, bmo#1683627)
noscript elements could have led to an HTML Sanitizer bypass
* CVE-2021-23971 (bmo#1678545)
A website's Referrer-Policy could have been be overridden,
potentially resulting in the full URL being sent as a Referrer
* CVE-2021-23976 (bmo#1684627)
Local spoofing of web manifests for arbitrary pages in
Firefox for Android
* CVE-2021-23977 (bmo#1684761)
Malicious application could read sensitive data from Firefox
for Android's application directories
* CVE-2021-23972 (bmo#1683536)
HTTP Auth phishing warning was omitted when a redirect is
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=895
* Adobe Flash is completely history
* supercookie protection
* new bookmark handling and features
MFSA 2021-03 (bsc#1181414)
* CVE-2021-23953 (bmo#1683940)
Cross-origin information leakage via redirected PDF requests
* CVE-2021-23954 (bmo#1684020)
Type confusion when using logical assignment operators in
JavaScript switch statements
* CVE-2021-23955 (bmo#1684837)
Clickjacking across tabs through misusing requestPointerLock
* CVE-2021-23956 (bmo#1338637)
File picker dialog could have been used to disclose a
complete directory
* CVE-2021-23957 (bmo#1584582)
Iframe sandbox could have been bypassed on Android via the
intent URL scheme
* CVE-2021-23958 (bmo#1642747)
Screen sharing permission leaked across tabs
* CVE-2021-23959 (bmo#1659035)
Cross-Site Scripting in error pages on Firefox for Android
* CVE-2021-23960 (bmo#1675755)
Use-after-poison for incorrectly redeclared JavaScript
variables during GC
* CVE-2021-23961 (bmo#1677940)
More internal network hosts could have been probed by a
malicious webpage
* CVE-2021-23962 (bmo#1677194)
Use-after-poison in
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=888
* Firefox 84 is the final release to support Adobe Flash
* WebRender is enabled by default when run on GNOME-based X11
Linux desktops
MFSA 2020-54 (bsc#1180039))
* CVE-2020-16042 (bmo#1679003)
Operations on a BigInt could have caused uninitialized memory
to be exposed
* CVE-2020-26971 (bmo#1663466)
Heap buffer overflow in WebGL
* CVE-2020-26972 (bmo#1671382)
Use-After-Free in WebGL
* CVE-2020-26973 (bmo#1680084)
CSS Sanitizer performed incorrect sanitization
* CVE-2020-26974 (bmo#1681022)
Incorrect cast of StyleGenericFlexBasis resulted in a heap
use-after-free
* CVE-2020-26975 (bmo#1661071)
Malicious applications on Android could have induced Firefox
for Android into sending arbitrary attacker-specified headers
* CVE-2020-26976 (bmo#1674343)
HTTPS pages could have been intercepted by a registered
service worker when they should not have been
* CVE-2020-26977 (bmo#1676311)
URL spoofing via unresponsive port in Firefox for Android
* CVE-2020-26978 (bmo#1677047)
Internal network hosts could have been probed by a malicious
webpage
* CVE-2020-26979 (bmo#1641287, bmo#1673299)
When entering an address in the address or search bars, a
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=880