======================================================================

                              CERT-Renater

                   Note d'Information No. 2024/VULN246
_____________________________________________________________________

DATE                : 16/05/2024

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems runnning versions prior to 126,
                                     ESR 115.11.

=====================================================================
https://www.mozilla.org/en-US/security/advisories/mfsa2024-22/
https://www.mozilla.org/en-US/security/advisories/mfsa2024-21/
_____________________________________________________________________


Mozilla Foundation Security Advisory 2024-22
Security Vulnerabilities fixed in Firefox ESR 115.11

Announced        May 14, 2024
Impact           high
Products         Firefox ESR
Fixed in
         Firefox ESR 115.11


#CVE-2024-4367: Arbitrary JavaScript execution in PDF.js

Reporter        Thomas Rinsma of Codean Labs
Impact          high

Description

A type check was missing when handling fonts in PDF.js, which would
allow arbitrary JavaScript execution in the PDF.js context.

References

     Bug 1893645


#CVE-2024-4767: IndexedDB files retained in private browsing mode

Reporter        Kim Do Hun via Tor Browser
Impact          moderate

Description

If the browser.privatebrowsing.autostart preference is enabled,
IndexedDB files were not properly deleted when the window was
closed. This preference is disabled by default in Firefox.

References

     Bug 1878577


#CVE-2024-4768: Potential permissions request bypass via clickjacking

Reporter        Hafiizh
Impact          moderate

Description

A bug in popup notifications' interaction with WebAuthn made it
easier for an attacker to trick a user into granting permissions.

References

     Bug 1886082


#CVE-2024-4769: Cross-origin responses could be distinguished
between script and non-script content-types

Reporter        Shaheen Fazim
Impact          moderate

Description

When importing resources using Web Workers, error messages would
distinguish the difference between application/javascript
responses and non-script responses. This could have been abused
to learn information cross-origin.

References

     Bug 1886108


#CVE-2024-4770: Use-after-free could occur when printing to PDF

Reporter        Irvan Kurniawan
Impact          moderate

Description

When saving a page to PDF, certain font styles could have led to
a potential use-after-free crash.

References

     Bug 1893270


#CVE-2024-4777: Memory safety bugs fixed in Firefox 126, Firefox
ESR 115.11, and Thunderbird 115.11

Reporter        Daniel Holbert and the Mozilla Fuzzing Team
Impact          moderate

Description

Memory safety bugs present in Firefox 125, Firefox ESR 115.10,
and Thunderbird 115.10. Some of these bugs showed evidence of
memory corruption and we presume that with enough effort some
of these could have been exploited to run arbitrary code.

References

     Memory safety bugs fixed in Firefox 126, Firefox ESR 115.11,
and Thunderbird 115.11

_____________________________________________________________________


Mozilla Foundation Security Advisory 2024-21
Security Vulnerabilities fixed in Firefox 126

Announced        May 14, 2024
Impact           high
Products         Firefox
Fixed in

         Firefox 126


#CVE-2024-4764: Use-after-free when audio input connected with
multiple consumers

Reporter        Jan-Ivar Bruaroey
Impact          high

Description

Multiple WebRTC threads could have claimed a newly connected audio
input leading to use-after-free.

References

     Bug 1879093


#CVE-2024-4367: Arbitrary JavaScript execution in PDF.js

Reporter        Thomas Rinsma of Codean Labs
Impact          high

Description

A type check was missing when handling fonts in PDF.js, which would
allow arbitrary JavaScript execution in the PDF.js context.

References

     Bug 1893645


#CVE-2024-4765: Web application manifests could have been overwritten
via hash collision

Reporter        Dana Keeler
Impact          moderate

Description

Web application manifests were stored by using an insecure MD5 hash
which allowed for a hash collision to overwrite another application's
manifest. This could have been exploited to run arbitrary code in
another application's context.

This issue only affects Firefox for Android. Other versions of Firefox
are unaffected.

References

     Bug 1871109


#CVE-2024-4766: Fullscreen notification could have been obscured on
Firefox for Android

Reporter        Hafiizh
Impact          moderate

Description

Different techniques existed to obscure the fullscreen notification
in Firefox for Android. These could have lead to potential user
confusion and spoofing attacks.

This bug only affects Firefox for Android. Other versions of Firefox
are unaffected.

References

     Bug 1871214
     Bug 1871217


#CVE-2024-4767: IndexedDB files retained in private browsing mode

Reporter        Kim Do Hun via Tor Browser
Impact          moderate

Description

If the browser.privatebrowsing.autostart preference is enabled,
IndexedDB files were not properly deleted when the window was closed.
This preference is disabled by default in Firefox.

References

     Bug 1878577


#CVE-2024-4768: Potential permissions request bypass via clickjacking

Reporter        Hafiizh
Impact          moderate

Description

A bug in popup notifications' interaction with WebAuthn made it easier
for an attacker to trick a user into granting permissions.

References

     Bug 1886082


#CVE-2024-4769: Cross-origin responses could be distinguished between
script and non-script content-types

Reporter        Shaheen Fazim
Impact          moderate

Description

When importing resources using Web Workers, error messages would
distinguish the difference between application/javascript responses
and non-script responses. This could have been abused to learn
information cross-origin.
References

     Bug 1886108


#CVE-2024-4770: Use-after-free could occur when printing to PDF

Reporter        Irvan Kurniawan
Impact          moderate

Description

When saving a page to PDF, certain font styles could have led
to a potential use-after-free crash.

References

     Bug 1893270


#CVE-2024-4771: Failed allocation could lead to use-after-free

Reporter        Irvan Kurniawan
Impact          moderate

Description

A memory allocation check was missing which would lead to a
use-after-free if the allocation failed. This could have triggered
a crash or potentially be leveraged to achieve code execution.
References

     Bug 1893891


#CVE-2024-4772: Use of insecure rand() function to generate nonce

Reporter        Hanno Böck
Impact          low

Description

An HTTP digest authentication nonce value was generated using rand()
which could lead to predictable values.

References

     Bug 1870579


#CVE-2024-4773: URL bar could be cleared after network error

Reporter        Islam
Impact          low

Description

When a network error occurred during page load, the prior content
could have remained in view with a blank URL bar. This could have
been used to obfuscate a spoofed web site.

References

     Bug 1875248


#CVE-2024-4774: Undefined behavior in ShmemCharMapHashEntry()

Reporter        Ronald Crane
Impact          low

Description

The ShmemCharMapHashEntry() code was susceptible to potentially
undefined behavior by bypassing the move semantics for one of
its data members.

References

     Bug 1886598


#CVE-2024-4775: Invalid memory access in the built-in profiler

Reporter        Lukas Bernhard
Impact          low

Description

An iterator stop condition was missing when handling WASM code
in the built-in profiler, potentially leading to invalid memory
access and undefined behavior. Note: This issue only affects
the application when the profiler is running.

References

     Bug 1887332


#CVE-2024-4776: Window may remain disabled after file dialog
is shown in full-screen

Reporter        Raphael
Impact          low

Description

A file dialog shown while in full-screen mode could have
resulted in the window remaining disabled.

References

     Bug 1887343


#CVE-2024-4777: Memory safety bugs fixed in Firefox 126,
Firefox ESR 115.11, and Thunderbird 115.11

Reporter        Daniel Holbert and the Mozilla Fuzzing Team
Impact          moderate

Description

Memory safety bugs present in Firefox 125, Firefox ESR 115.10,
and Thunderbird 115.10. Some of these bugs showed evidence of
memory corruption and we presume that with enough effort some
of these could have been exploited to run arbitrary code.

References

     Memory safety bugs fixed in Firefox 126, Firefox ESR 115.11,
and Thunderbird 115.11


#CVE-2024-4778: Memory safety bugs fixed in Firefox 126

Reporter
     Mozilla Fuzzing Team
Impact
     moderate

Description

Memory safety bugs present in Firefox 125. Some of these bugs showed
evidence of memory corruption and we presume that with enough effort
some of these could have been exploited to run arbitrary code.

References

     Memory safety bugs fixed in Firefox 126



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================