CVE-2022-28287 Text selection could cause text selection caching to behave incorrectly, causing a crash.

It is recommended to upgrade to version Firefox version > 99.

CVE-2018-1303: Memory safety bugs fixed in Firefox



- Incorrect use of inheritance could lead to unexpected behavior or crashes in some objects.

- WebExtensions can bypass the permission prompt if they are not signed.

- Accessing the DOM through a frame with a deleted origin could lead to cross-origin information disclosure.

- The “trackStop” event could be fired after the target element has been removed.

- WebExtensions can bypass the permission prompt if they are not signed.

- The “trackStop” event could be fired after the target element has been removed.

- Incorrect handling of certain font faces could lead to incorrect rendering.

- The “patchAndDecorate” function could cause text input fields to be marked as disabled.

- Incorrect handling of certain font faces could lead to incorrect rendering.

- The “patchAndDecorate” function could cause text input fields to be marked as disabled.

- Incorrect handling of certain font faces could lead to incorrect rendering.

- The “patchAndDecorate” function could cause text input fields to be marked as disabled.

How dangerous is it?

The severity of the issues vary from minor to critical, and examples of how a user could be impacted are provided.

FAQ

- What happened with Firefox version 99?
Firefox version 99 was released on September 25, 2018. Mozilla decided to make the change because of stability concerns and also due to it being a major release.
- Why does upgrading to version Firefox version > 99 help?
When upgrading to Firefox version >99, many bugs are fixed that were found in previous versions. These include memory safety bugs, incorrect use of inheritance, access to the DOM through a frame with a deleted origin and incorrect handling of font faces.

About Talos Intelligence Group

Talos is a vulnerability intelligence group that helps organizations identify and mitigate threats in their networks. They primarily provide intel on vulnerabilities across the web, but also have groups for cryptocurrencies, IoT, and mobile devices.

- They offer a free Cyber Threat Defense service to find advanced persistent threats (APTs).

- The group offers a free Web Application Firewall.

Timeline

Published on: 12/22/2022 20:15:00 UTC
Last modified on: 12/30/2022 20:43:00 UTC

References

• https://www.mozilla.org/security/advisories/mfsa2022-13/
• https://bugzilla.mozilla.org/show_bug.cgi?id=1741515
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-28287