VYPR

Firefox

by Mozilla Corporation

Source repositories

CVEs (3,179)

  • CVE-2016-5279MedSep 22, 2016
    risk 0.28cvss 4.3epss 0.01

    Mozilla Firefox before 49.0 allows user-assisted remote attackers to obtain sensitive full-pathname information during a local-file drag-and-drop operation via crafted JavaScript code.

  • CVE-2016-5268MedAug 5, 2016
    risk 0.28cvss 4.3epss 0.01

    Mozilla Firefox before 48.0 does not properly set the LINKABLE and URI_SAFE_FOR_UNTRUSTED_CONTENT flags of about: URLs that are used for error pages, which makes it easier for remote attackers to conduct spoofing attacks via a crafted URL, as demonstrated by misleading text…

  • CVE-2016-5251MedAug 5, 2016
    risk 0.28cvss 4.3epss 0.01

    Mozilla Firefox before 48.0 allows remote attackers to spoof the location bar via crafted characters in the media type of a data: URL.

  • CVE-2016-5250MedAug 5, 2016
    risk 0.28cvss 4.3epss 0.02

    Mozilla Firefox before 48.0, Firefox ESR < 45.4 and Thunderbird < 45.4 allow remote attackers to obtain sensitive information about the previously retrieved page via Resource Timing API calls.

  • CVE-2016-2830MedAug 5, 2016
    risk 0.28cvss 4.3epss 0.01

    Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 preserve the network connection used for favicon resource retrieval after the associated browser window is closed, which makes it easier for remote web servers to track users by observing network traffic from multiple…

  • CVE-2016-2832MedJun 13, 2016
    risk 0.28cvss 4.3epss 0.01

    Mozilla Firefox before 47.0 allows remote attackers to discover the list of disabled plugins via a fingerprinting attack involving Cascading Style Sheets (CSS) pseudo-classes.

  • CVE-2016-2820MedApr 30, 2016
    risk 0.28cvss 4.3epss 0.01

    The Firefox Health Reports (aka FHR or about:healthreport) feature in Mozilla Firefox before 46.0 does not properly restrict the origin of events, which makes it easier for remote attackers to modify sharing preferences by leveraging access to the remote-report IFRAME element.

  • CVE-2016-1965MedMar 13, 2016
    risk 0.28cvss 4.3epss 0.02

    Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7 mishandle a navigation sequence that returns to the original page, which allows remote attackers to spoof the address bar via vectors involving the history.back method and the location.protocol property.

  • CVE-2016-1958MedMar 13, 2016
    risk 0.28cvss 4.3epss 0.02

    browser/base/content/browser.js in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7 allows remote attackers to spoof the address bar via a javascript: URL.

  • CVE-2016-1957MedMar 13, 2016
    risk 0.28cvss 4.3epss 0.02

    Memory leak in libstagefright in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7 allows remote attackers to cause a denial of service (memory consumption) via an MPEG-4 file that triggers a delete operation on an array.

  • CVE-2016-1955MedMar 13, 2016
    risk 0.28cvss 4.3epss 0.02

    Mozilla Firefox before 45.0 allows remote attackers to bypass the Same Origin Policy and obtain sensitive information by reading a Content Security Policy (CSP) violation report that contains path information associated with an IFRAME element.

  • CVE-2026-2802MedFeb 24, 2026
    risk 0.27cvss 4.2epss 0.00

    Race condition in the JavaScript: GC component. This vulnerability was fixed in Firefox 148 and Thunderbird 148.

  • CVE-2025-10859MedSep 30, 2025
    risk 0.26cvss 4.0epss 0.00

    Cookie storage for non-HTML temporary documents was being shared incorrectly with normal browsing content, allowing information from private tabs to escape Incognito mode even after the user closed all tabs. This vulnerability was fixed in Firefox for iOS 143.1.

  • CVE-2025-0240MedJan 7, 2025
    risk 0.26cvss 4.0epss 0.01

    Parsing a JavaScript module as JSON could, under some circumstances, cause cross-compartment access, which may result in a use-after-free. This vulnerability was fixed in Firefox 134, Firefox ESR 128.6, Thunderbird 134, and Thunderbird 128.6.

  • CVE-2025-0239MedJan 7, 2025
    risk 0.26cvss 4.0epss 0.00

    When using Alt-Svc, ALPN did not properly validate certificates when the original server is redirecting to an insecure site. This vulnerability was fixed in Firefox 134, Firefox ESR 128.6, Thunderbird 134, and Thunderbird 128.6.

  • CVE-2024-3861MedApr 16, 2024
    risk 0.26cvss 4.0epss 0.00

    If an AlignedBuffer were assigned to itself, the subsequent self-move could result in an incorrect reference count and later use-after-free. This vulnerability affects Firefox < 125, Firefox ESR < 115.10, and Thunderbird < 115.10.

  • CVE-2025-1939LowMar 4, 2025
    risk 0.25cvss 3.9epss 0.00

    Android apps can load web pages using the Custom Tabs feature. This feature supports a transition animation that could have been used to trick a user into granting sensitive permissions by hiding what the user was actually clicking. This vulnerability was fixed in Firefox 136.

  • CVE-2024-3302LowApr 16, 2024
    risk 0.24cvss 3.7epss 0.01

    There was no limit to the number of HTTP/2 CONTINUATION frames that would be processed. A server could abuse this to create an Out of Memory condition in the browser. This vulnerability affects Firefox < 125, Firefox ESR < 115.10, and Thunderbird < 115.10.

  • CVE-2024-2606LowMar 19, 2024
    risk 0.24cvss 3.7epss 0.00

    Passing invalid data could have led to invalid wasm values being created, such as arbitrary integers turning into pointer values. This vulnerability affects Firefox < 124.

  • CVE-2019-11743LowSep 27, 2019
    risk 0.24cvss 3.7epss 0.02

    Navigation events were not fully adhering to the W3C's "Navigation-Timing Level 2" draft specification in some instances for the unload event, which restricts access to detailed timing attributes to only be same-origin. This resulted in potential cross-origin information…

Page 94 of 159