* Firefox 84 is the final release to support Adobe Flash
* WebRender is enabled by default when run on GNOME-based X11
Linux desktops
MFSA 2020-54 (bsc#1180039))
* CVE-2020-16042 (bmo#1679003)
Operations on a BigInt could have caused uninitialized memory
to be exposed
* CVE-2020-26971 (bmo#1663466)
Heap buffer overflow in WebGL
* CVE-2020-26972 (bmo#1671382)
Use-After-Free in WebGL
* CVE-2020-26973 (bmo#1680084)
CSS Sanitizer performed incorrect sanitization
* CVE-2020-26974 (bmo#1681022)
Incorrect cast of StyleGenericFlexBasis resulted in a heap
use-after-free
* CVE-2020-26975 (bmo#1661071)
Malicious applications on Android could have induced Firefox
for Android into sending arbitrary attacker-specified headers
* CVE-2020-26976 (bmo#1674343)
HTTPS pages could have been intercepted by a registered
service worker when they should not have been
* CVE-2020-26977 (bmo#1676311)
URL spoofing via unresponsive port in Firefox for Android
* CVE-2020-26978 (bmo#1677047)
Internal network hosts could have been probed by a malicious
webpage
* CVE-2020-26979 (bmo#1641287, bmo#1673299)
When entering an address in the address or search bars, a
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=880
* https://www.mozilla.org/en-US/firefox/74.0/releasenotes/
MFSA 2020-08 (bsc#1166238)
* CVE-2020-6805 (bmo#1610880)
Use-after-free when removing data about origins
* CVE-2020-6806 (bmo#1612308)
BodyStream::OnInputStreamReady was missing protections against
state confusion
* CVE-2020-6807 (bmo#1614971)
Use-after-free in cubeb during stream destruction
* CVE-2020-6808 (bmo#1247968)
URL Spoofing via javascript: URL
* CVE-2020-6809 (bmo#1420296)
Web Extensions with the all-urls permission could access local
files
* CVE-2020-6810 (bmo#1432856)
Focusing a popup while in fullscreen could have obscured the
fullscreen notification
* CVE-2020-6811 (bmo#1607742)
Devtools' 'Copy as cURL' feature did not fully escape
website-controlled data, potentially leading to command injection
* CVE-2019-20503 (bmo#1613765)
Out of bounds reads in sctp_load_addresses_from_init
* CVE-2020-6812 (bmo#1616661)
The names of AirPods with personally identifiable information
were exposed to websites with camera or microphone permission
* CVE-2020-6813 (bmo#1605814)
@import statements in CSS could bypass the Content Security
Policy nonce feature
* CVE-2020-6814 (bmo#1592078,bmo#1604847,bmo#1608256,bmo#1612636,
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=809
MFSA 2019-26
* CVE-2019-11751 (bmo#1572838; Windows only)
Malicious code execution through command line parameters
* CVE-2019-11746 (bmo#1564449)
Use-after-free while manipulating video
* CVE-2019-11744 (bmo#1562033)
XSS by breaking out of title and textarea elements using innerHTML
* CVE-2019-11742 (bmo#1559715)
Same-origin policy violation with SVG filters and canvas to steal
cross-origin images
* CVE-2019-11736 (bmo#1551913, bmo#1552206; Windows only))
File manipulation and privilege escalation in Mozilla Maintenance Service
* CVE-2019-11753 (bmo#1574980; Windows only)
Privilege escalation with Mozilla Maintenance Service in custom
Firefox installation location
* CVE-2019-11752 (bmo#1501152)
Use-after-free while extracting a key value in IndexedDB
* CVE-2019-9812 (bmo#1538008, bmo#1538015)
Sandbox escape through Firefox Sync
* CVE-2019-11743 (bmo#1560495)
Cross-origin access to unload event attributes
* CVE-2019-11748 (bmo#1564588)
Persistence of WebRTC permissions in a third party context
* CVE-2019-11749 (bmo#1565374)
Camera information available without prompting using getUserMedia
* CVE-2019-11750 (bmo#1568397)
Type confusion in Spidermonkey
* CVE-2019-11738 (bmo#1452037)
Content security policy bypass through hash-based sources in directives
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=760
