====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN116
_____________________________________________________________________

DATE                : 23/02/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S):  Systems running Mozilla Firefox versions prior to
                                86, ESR 78.8.

=====================================================================
https://www.mozilla.org/en-US/security/advisories/mfsa2021-07/
https://www.mozilla.org/en-US/security/advisories/mfsa2021-08/
_____________________________________________________________________

Mozilla Foundation Security Advisory 2021-07
Security Vulnerabilities fixed in Firefox 86

Announced        February 23, 2021
Impact           high
Products         Firefox
Fixed in
        Firefox 86


#CVE-2021-23969: Content Security Policy violation report could have
contained the destination of a redirect

Reporter          Masato Kinugawa
Impact            high

Description

As specified in the W3C Content Security Policy draft, when creating a
violation report, "User agents need to ensure that the source file is
the URL requested by the page, pre-redirects. If that’s not possible,
user agents need to strip the URL down to an origin to avoid
unintentional leakage." Under certain types of redirects, Firefox
incorrectly set the source file to be the destination of the redirects.
This was fixed to be the redirect destination's origin.

References

    Bug 1542194


#CVE-2021-23970: Multithreaded WASM triggered assertions validating
separation of script domains

Reporter           J. Ryan Stinnett
Impact             high

Description

Context-specific code was included in a shared jump table; resulting in
assertions being triggered in multithreaded wasm code.

References

    Bug 1681724


#CVE-2021-23968: Content Security Policy violation report could have
contained the destination of a redirect

Reporter            Ademar Nowasky Junior
Impact              high

Description

If Content Security Policy blocked frame navigation, the full
destination of a redirect served in the frame was reported in the
violation report; as opposed to the original frame URI. This could be
used to leak sensitive information contained in such URIs.

References

    Bug 1687342


#CVE-2021-23974: noscript elements could have led to an HTML Sanitizer
bypass

Reporter             Masato Kinugawa and Michał Bentkowski
Impact               moderate

Description

The DOMParser API did not properly process <noscript> elements for
escaping. This could be used as an mXSS vector to bypass an HTML
Sanitizer.

References

    Bug 1528997, 1683627


#CVE-2021-23971: A website's Referrer-Policy could have been be
overridden, potentially resulting in the full URL being sent as a
Referrer

Reporter              Luca Moretto
Impact                moderate

Description

When processing a redirect with a conflicting Referrer-Policy, Firefox
would have adopted the redirect's Referrer-Policy. This would have
potentially resulted in more information than intended by the original
origin being provided to the destination of the redirect.

References

    Bug 1678545


#CVE-2021-23976: Local spoofing of web manifests for arbitrary pages in
Firefox for Android

Reporter               Muneaki Nishimura
Impact                 moderate

Description

When accepting a malicious intent from other installed apps, Firefox for
Android accepted manifests from arbitrary file paths and allowed
declaring webapp manifests for other origins. This could be used to gain
fullscreen access for UI spoofing and could also lead to cross-origin
attacks on targeted websites.
Note: This issue is a different issue from CVE-2020-26954 and only
affected Firefox for Android. Other operating systems are unaffected.

References

    Bug 1684627

#CVE-2021-23977: Malicious application could read sensitive data from
Firefox for Android's application directories

Reporter               fatal0
Impact                 moderate

Description

Firefox for Android suffered from a time-of-check-time-of-use
vulnerability that allowed a malicious application to read sensitive
data from application directories.

Note: This issue is only affected Firefox for Android. Other operating
systems are unaffected.

References

    Bug 1684761

#CVE-2021-23972: HTTP Auth phishing warning was omitted when a redirect
is cached

Reporter                Vijay Tikudave
Impact                  low

Description

One phishing tactic on the web is to provide a link with HTTP Auth. For
example https://www.phishingtarget.com@evil.com. To mitigate this type
of attack, Firefox will display a warning dialog; however, this warning
dialog would not have been displayed if evil.com used a redirect that
was cached by the browser.

References

    Bug 1683536

#CVE-2021-23975: about:memory Measure function caused an incorrect
pointer operation

Reporter                Brian Carpenter of Geeknik Labs & Farm
Impact                  low

Description

The developer page about:memory has a Measure function for exploring
what object types the browser has allocated and their sizes. When this
function was invoked we incorrectly called the sizeof function, instead
of using the API method that checks for invalid pointers.

References

    Bug 1685145

#CVE-2021-23973: MediaError message property could have leaked
information about cross-origin resources

Reporter                 Andreas Pehrson
Impact                   low

Description

When trying to load a cross-origin resource in an audio/video context a
decoding error may have resulted, and the content of that error may have
revealed information about the resource.

References

    Bug 1690976

#CVE-2021-23978: Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8

Reporter                Mozilla developers and community
Impact                  high

Description

Mozilla developers Alexis Beingessner, Tyson Smith, Nika Layzell, and
Mats Palmgren reported memory safety bugs present in Firefox 85 and
Firefox ESR 78.7. Some of these bugs showed evidence of memory
corruption and we presume that with enough effort some of these could
have been exploited to run arbitrary code.

References

    Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8

#CVE-2021-23979: Memory safety bugs fixed in Firefox 86

Reporter                Mozilla developers
Impact                  high

Description

Mozilla developers Tyson Smith, Lars T Hansen, Valentin Gosu, and
Sebastian Hengst reported memory safety bugs present in Firefox 85. Some
of these bugs showed evidence of memory corruption and we presume that
with enough effort some of these could have been exploited to run
arbitrary code.

References

    Memory safety bugs fixed in Firefox 86

_____________________________________________________________________


Mozilla Foundation Security Advisory 2021-08
Security Vulnerabilities fixed in Firefox ESR 78.8

Announced        February 23, 2021
Impact           high
Products         Firefox ESR
Fixed in
        Firefox ESR 78.8


#CVE-2021-23969: Content Security Policy violation report could have
contained the destination of a redirect

Reporter          Masato Kinugawa
Impact            high

Description

As specified in the W3C Content Security Policy draft, when creating a
violation report, "User agents need to ensure that the source file is
the URL requested by the page, pre-redirects. If that’s not possible,
user agents need to strip the URL down to an origin to avoid
unintentional leakage." Under certain types of redirects, Firefox
incorrectly set the source file to be the destination of the redirects.
This was fixed to be the redirect destination's origin.

References

    Bug 1542194


#CVE-2021-23968: Content Security Policy violation report could have
contained the destination of a redirect

Reporter          Ademar Nowasky Junior
Impact            high

Description

If Content Security Policy blocked frame navigation, the full
destination of a redirect served in the frame was reported in the
violation report; as opposed to the original frame URI. This could be
used to leak sensitive information contained in such URIs.

References

    Bug 1687342

#CVE-2021-23973: MediaError message property could have leaked
information about cross-origin resources

Reporter          Andreas Pehrson
Impact            low

Description

When trying to load a cross-origin resource in an audio/video context a
decoding error may have resulted, and the content of that error may have
revealed information about the resource.

References

    Bug 1690976


#CVE-2021-23978: Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8

Reporter          Mozilla developers
Impact            high

Description

Mozilla developers Alexis Beingessner, Tyson Smith, Nika Layzell, and
Mats Palmgren reported memory safety bugs present in Firefox 85 and
Firefox ESR 78.7. Some of these bugs showed evidence of memory
corruption and we presume that with enough effort some of these could
have been exploited to run arbitrary code.

References

    Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================