Vendor CVEs
Mozilla Corporation
All CVEs
3,627 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-1943 | Med | 0.31 | 4.7 | 0.01 | Jan 31, 2016 | Mozilla Firefox before 44.0 on Android allows remote attackers to spoof the address bar via the scrollTo method. | ||
| CVE-2015-8508 | Med | 0.31 | 4.7 | 0.01 | Jan 3, 2016 | Cross-site scripting (XSS) vulnerability in showdependencygraph.cgi in Bugzilla 2.x, 3.x, and 4.x before 4.2.16, 4.3.x and 4.4.x before 4.4.11, and 4.5.x and 5.0.x before 5.0.2, when a local dot configuration is used, allows remote attackers to inject arbitrary web script or… | ||
| CVE-2015-8512 | Med | 0.30 | 4.6 | 0.00 | Jan 9, 2016 | The lockscreen feature in Mozilla Firefox OS before 2.5 does not properly restrict failed authentication attempts, which makes it easier for physically proximate attackers to obtain access by entering many passcode guesses. | ||
| CVE-2020-12402 | Med | 0.29 | 4.4 | 0.00 | Jul 9, 2020 | During RSA key generation, bignum implementations used a variation of the Binary Extended Euclidean Algorithm which entailed significantly input-dependent flow. This allowed an attacker able to perform electromagnetic-based side channel attacks to record traces leading to the… | ||
| CVE-2020-12399 | Med | 0.29 | 4.4 | 0.01 | Jul 9, 2020 | NSS has shown timing differences when performing DSA signatures, which was exploitable and could eventually leak private keys. This vulnerability affects Thunderbird < 68.9.0, Firefox < 77, and Firefox ESR < 68.9. | ||
| CVE-2026-53900 | Med | 0.28 | 4.3 | 0.00 | Jun 16, 2026 | Firefox for iOS preserved cookies set on the initial PDF request across cross-origin HTTP redirects in TemporaryDocument, allowing a malicious site to inject arbitrary cookies into requests to an unrelated target domain. This vulnerability was fixed in Firefox for iOS 152.0. | ||
| CVE-2026-12320 | Med | 0.28 | 4.3 | 0.00 | Jun 16, 2026 | Information disclosure in the Password Manager component. This vulnerability was fixed in Firefox 152 and Thunderbird 152. | ||
| CVE-2026-12303 | Med | 0.28 | 4.3 | 0.00 | Jun 16, 2026 | Information disclosure due to incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 152 and Thunderbird 152. | ||
| CVE-2026-10702 | Med | 0.28 | 4.3 | 0.00 | Jun 2, 2026 | JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 151.0.3. | ||
| CVE-2026-2919 | Med | 0.28 | 4.3 | 0.00 | Mar 9, 2026 | Malicious scripts could display attacker-controlled web content under spoofed domains in Focus for iOS by stalling a _self navigation to an invalid port and triggering an iframe redirect, causing the UI to display a trusted domain without user interaction. This vulnerability was… | ||
| CVE-2026-2032 | Med | 0.28 | 4.3 | 0.00 | Feb 16, 2026 | Malicious scripts that interrupt new tab page loading could cause desynchronization between the address bar and page content, allowing the attacker to spoof arbitrary HTML under a trusted domain. This vulnerability was fixed in Firefox for iOS 147.2.1. | ||
| CVE-2026-0818 | Med | 0.28 | 4.3 | 0.00 | Jan 28, 2026 | When a user explicitly requested Thunderbird to decrypt an inline OpenPGP message that was embedded in a text section of an email that was formatted and styled with HTML and CSS, then the decrypted contents were rendered in a context in which the CSS styles from the outer… | ||
| CVE-2026-0887 | Med | 0.28 | 4.3 | 0.00 | Jan 13, 2026 | Clickjacking issue, information disclosure in the PDF Viewer component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7. | ||
| CVE-2025-8364 | Med | 0.28 | 4.3 | 0.00 | Aug 19, 2025 | A crafted URL using a blob: URI could have hidden the true origin of the page, resulting in a potential spoofing attack. *Note: This issue only affected Android operating systems. Other operating systems are unaffected.*. This vulnerability was fixed in Firefox 141. | ||
| CVE-2025-6434 | Med | 0.28 | 4.3 | 0.00 | Jun 24, 2025 | The exception page for the HTTPS-Only feature, displayed when a website is opened via HTTP, lacked an anti-clickjacking delay, potentially allowing an attacker to trick a user into granting an exception and loading a webpage over HTTP. This vulnerability was fixed in Firefox 140… | ||
| CVE-2025-6428 | Med | 0.28 | 4.3 | 0.00 | Jun 24, 2025 | When a URL was provided in a link querystring parameter, Firefox for Android would follow that URL instead of the correct URL, potentially leading to phishing attacks. *This bug only affects Firefox for Android. Other versions of Firefox are unaffected.*. This vulnerability was… | ||
| CVE-2025-5266 | Med | 0.28 | 4.3 | 0.00 | May 27, 2025 | Script elements loading cross-origin resources generated load and error events which leaked information enabling XS-Leaks attacks. This vulnerability was fixed in Firefox 139, Firefox ESR 128.11, Thunderbird 139, and Thunderbird 128.11. | ||
| CVE-2025-5263 | Med | 0.28 | 4.3 | 0.00 | May 27, 2025 | Error handling for script execution was incorrectly isolated from web content, which could have allowed cross-origin leak attacks. This vulnerability was fixed in Firefox 139, Firefox ESR 115.24, Firefox ESR 128.11, Thunderbird 139, and Thunderbird 128.11. | ||
| CVE-2025-5020 | Med | 0.28 | 4.3 | 0.00 | May 21, 2025 | Opening maliciously-crafted URLs in Firefox from other apps such as Safari could have allowed attackers to spoof website addresses if the URLs utilized non-HTTP schemes used internally by the Firefox iOS client. This vulnerability was fixed in Firefox for iOS 139. | ||
| CVE-2025-27425 | Med | 0.28 | 4.3 | 0.00 | Mar 4, 2025 | Scanning certain QR codes that included text with a website URL could allow the URL to be opened without presenting the user with a confirmation alert first. This vulnerability was fixed in Firefox for iOS 136. | ||
| CVE-2025-27424 | Med | 0.28 | 4.3 | 0.00 | Mar 4, 2025 | Websites redirecting to a non-HTTP scheme URL could allow a website address to be spoofed for a malicious page. This vulnerability was fixed in Firefox for iOS 136. | ||
| CVE-2025-1935 | Med | 0.28 | 4.3 | 0.00 | Mar 4, 2025 | A web page could trick a user into setting that site as the default handler for a custom URL protocol. This vulnerability was fixed in Firefox 136, Firefox ESR 128.8, Thunderbird 136, and Thunderbird 128.8. | ||
| CVE-2025-1019 | Med | 0.28 | 4.3 | 0.00 | Feb 4, 2025 | The z-order of the browser windows could be manipulated to hide the fullscreen notification. This could potentially be leveraged to perform a spoofing attack. This vulnerability was fixed in Firefox 135 and Thunderbird 135. | ||
| CVE-2025-23108 | Med | 0.28 | 4.3 | 0.00 | Jan 11, 2025 | Opening Javascript links in a new tab via long-press in the Firefox iOS client could result in a malicious script spoofing the URL of the new tab. This vulnerability was fixed in Firefox for iOS 134. | ||
| CVE-2024-0749 | Med | 0.28 | 4.3 | 0.00 | Jan 23, 2024 | A phishing site could have repurposed an `about:` dialog to show phishing content with an incorrect origin in the address bar. This vulnerability affects Firefox < 122 and Thunderbird < 115.7. | ||
| CVE-2024-0748 | Med | 0.28 | 4.3 | 0.00 | Jan 23, 2024 | A compromised content process could have updated the document URI. This could have allowed an attacker to set an arbitrary URI in the address bar or history. This vulnerability affects Firefox < 122. | ||
| CVE-2024-0742 | Med | 0.28 | 4.3 | 0.01 | Jan 23, 2024 | It was possible for certain browser prompts and dialogs to be activated or dismissed unintentionally by the user due to an incorrect timestamp used to prevent input after page load. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7. | ||
| CVE-2023-6871 | Med | 0.28 | 4.3 | 0.00 | Dec 19, 2023 | Under certain conditions, Firefox did not display a warning when a user attempted to navigate to a new protocol handler. This vulnerability affects Firefox < 121. | ||
| CVE-2023-6870 | Med | 0.28 | 4.3 | 0.00 | Dec 19, 2023 | Applications which spawn a Toast notification in a background thread may have obscured fullscreen notifications displayed by Firefox. *This issue only affects Android versions of Firefox and Firefox Focus.* This vulnerability affects Firefox < 121. | ||
| CVE-2023-6868 | Med | 0.28 | 4.3 | 0.00 | Dec 19, 2023 | In some instances, the user-agent would allow push requests which lacked a valid VAPID even though the push manager subscription defined one. This could allow empty messages to be sent from unauthorized parties. *This bug only affects Firefox on Android.* This vulnerability… | ||
| CVE-2023-6135 | Med | 0.28 | 4.3 | 0.01 | Dec 19, 2023 | Multiple NSS NIST curves were susceptible to a side-channel attack known as "Minerva". This attack could potentially allow an attacker to recover the private key. This vulnerability affects Firefox < 121. | ||
| CVE-2023-50762 | Med | 0.28 | 4.3 | 0.01 | Dec 19, 2023 | When processing a PGP/MIME payload that contains digitally signed text, the first paragraph of the text was never shown to the user. This is because the text was interpreted as a MIME message and the first paragraph was always treated as an email header section. A digitally… | ||
| CVE-2023-50761 | Med | 0.28 | 4.3 | 0.01 | Dec 19, 2023 | The signature of a digitally signed S/MIME email message may optionally specify the signature creation date and time. If present, Thunderbird did not compare the signature creation date with the message date and time, and displayed a valid signature despite a date or time… | ||
| CVE-2023-5729 | Med | 0.28 | 4.3 | 0.01 | Oct 25, 2023 | A malicious web site can enter fullscreen mode while simultaneously triggering a WebAuthn prompt. This could have obscured the fullscreen notification and could have been leveraged in a spoofing attack. This vulnerability affects Firefox < 119. | ||
| CVE-2023-5726 | Med | 0.28 | 4.3 | 0.01 | Oct 25, 2023 | A website could have obscured the full screen notification by using the file open dialog. This could have led to user confusion and possible spoofing attacks. *Note: This issue only affected macOS operating systems. Other operating systems are unaffected.* This vulnerability… | ||
| CVE-2023-5725 | Med | 0.28 | 4.3 | 0.01 | Oct 25, 2023 | A malicious installed WebExtension could open arbitrary URLs, which under the right circumstance could be leveraged to collect sensitive user data. This vulnerability affects Firefox < 119, Firefox ESR < 115.4, and Thunderbird < 115.4.1. | ||
| CVE-2023-5721 | Med | 0.28 | 4.3 | 0.01 | Oct 25, 2023 | It was possible for certain browser prompts and dialogs to be activated or dismissed unintentionally by the user due to an insufficient activation-delay. This vulnerability affects Firefox < 119, Firefox ESR < 115.4, and Thunderbird < 115.4.1. | ||
| CVE-2023-4581 | Med | 0.28 | 4.3 | 0.01 | Sep 11, 2023 | Excel `.xll` add-in files did not have a blocklist entry in Firefox's executable blocklist which allowed them to be downloaded without any warning of their potential harm. This vulnerability affects Firefox < 117, Firefox ESR < 102.15, Firefox ESR < 115.2, Thunderbird < 102.15,… | ||
| CVE-2023-32212 | Med | 0.28 | 4.3 | 0.01 | Jun 2, 2023 | An attacker could have positioned a `datalist` element to obscure the address bar. This vulnerability affects Firefox < 113, Firefox ESR < 102.11, and Thunderbird < 102.11. | ||
| CVE-2023-32205 | Med | 0.28 | 4.3 | 0.01 | Jun 2, 2023 | In multiple cases browser prompts could have been obscured by popups controlled by content. These could have led to potential user confusion and spoofing attacks. This vulnerability affects Firefox < 113, Firefox ESR < 102.11, and Thunderbird < 102.11. | ||
| CVE-2023-29538 | Med | 0.28 | 4.3 | 0.00 | Jun 2, 2023 | Under specific circumstances a WebExtension may have received a jar:file:/// URI instead of a moz-extension:/// URI during a load request. This leaked directory paths on the user's machine. This vulnerability affects Firefox for Android < 112, Firefox <… | ||
| CVE-2023-29533 | Med | 0.28 | 4.3 | 0.01 | Jun 2, 2023 | A website could have obscured the fullscreen notification by using a combination of window.open, fullscreen requests, window.name assignments, and setInterval calls. This could have led to user confusion and possible spoofing attacks. This… | ||
| CVE-2023-28159 | Med | 0.28 | 4.3 | 0.00 | Jun 2, 2023 | The fullscreen notification could have been hidden on Firefox for Android by using download popups, resulting in potential user confusion or spoofing attacks. *This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects… | ||
| CVE-2023-25750 | Med | 0.28 | 4.3 | 0.00 | Jun 2, 2023 | Under certain circumstances, a ServiceWorker's offline cache may have leaked to the file system when using private browsing mode. This vulnerability affects Firefox < 111. | ||
| CVE-2023-25749 | Med | 0.28 | 4.3 | 0.00 | Jun 2, 2023 | Android applications with unpatched vulnerabilities can be launched from a browser using Intents, exposing users to these vulnerabilities. Firefox will now confirm with users that they want to launch an external application before doing so. *This bug only affects Firefox for… | ||
| CVE-2023-25748 | Med | 0.28 | 4.3 | 0.00 | Jun 2, 2023 | By displaying a prompt with a long description, the fullscreen notification could have been hidden, resulting in potential user confusion or spoofing attacks. *This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects… | ||
| CVE-2022-46877 | Med | 0.28 | 4.3 | 0.01 | Dec 22, 2022 | By confusing the browser, the fullscreen notification could have been delayed or suppressed, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox < 108. | ||
| CVE-2022-45417 | Med | 0.28 | 4.3 | 0.00 | Dec 22, 2022 | Service Workers did not detect Private Browsing Mode correctly in all cases, which could have led to Service Workers being written to disk for websites visited in Private Browsing Mode. This would not have persisted them in a state where they would run again, but it would have… | ||
| CVE-2022-3034 | Med | 0.28 | 4.3 | 0.01 | Dec 22, 2022 | When receiving an HTML email that specified to load an iframe element from a remote location, a request to the remote document was sent. However, Thunderbird didn't display the document. This vulnerability affects Thunderbird < 102.2.1 and Thunderbird < 91.13.1. | ||
| CVE-2022-38474 | Med | 0.28 | 4.3 | 0.00 | Dec 22, 2022 | A website that had permission to access the microphone could record audio without the audio notification being shown. This bug does not allow the attacker to bypass the permission prompt - it only affects the notification shown once permission has been granted.*This bug… |
- risk 0.31cvss 4.7epss 0.01
Mozilla Firefox before 44.0 on Android allows remote attackers to spoof the address bar via the scrollTo method.
- risk 0.31cvss 4.7epss 0.01
Cross-site scripting (XSS) vulnerability in showdependencygraph.cgi in Bugzilla 2.x, 3.x, and 4.x before 4.2.16, 4.3.x and 4.4.x before 4.4.11, and 4.5.x and 5.0.x before 5.0.2, when a local dot configuration is used, allows remote attackers to inject arbitrary web script or…
- risk 0.30cvss 4.6epss 0.00
The lockscreen feature in Mozilla Firefox OS before 2.5 does not properly restrict failed authentication attempts, which makes it easier for physically proximate attackers to obtain access by entering many passcode guesses.
- risk 0.29cvss 4.4epss 0.00
During RSA key generation, bignum implementations used a variation of the Binary Extended Euclidean Algorithm which entailed significantly input-dependent flow. This allowed an attacker able to perform electromagnetic-based side channel attacks to record traces leading to the…
- risk 0.29cvss 4.4epss 0.01
NSS has shown timing differences when performing DSA signatures, which was exploitable and could eventually leak private keys. This vulnerability affects Thunderbird < 68.9.0, Firefox < 77, and Firefox ESR < 68.9.
- risk 0.28cvss 4.3epss 0.00
Firefox for iOS preserved cookies set on the initial PDF request across cross-origin HTTP redirects in TemporaryDocument, allowing a malicious site to inject arbitrary cookies into requests to an unrelated target domain. This vulnerability was fixed in Firefox for iOS 152.0.
- risk 0.28cvss 4.3epss 0.00
Information disclosure in the Password Manager component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.
- risk 0.28cvss 4.3epss 0.00
Information disclosure due to incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.
- risk 0.28cvss 4.3epss 0.00
JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 151.0.3.
- risk 0.28cvss 4.3epss 0.00
Malicious scripts could display attacker-controlled web content under spoofed domains in Focus for iOS by stalling a _self navigation to an invalid port and triggering an iframe redirect, causing the UI to display a trusted domain without user interaction. This vulnerability was…
- risk 0.28cvss 4.3epss 0.00
Malicious scripts that interrupt new tab page loading could cause desynchronization between the address bar and page content, allowing the attacker to spoof arbitrary HTML under a trusted domain. This vulnerability was fixed in Firefox for iOS 147.2.1.
- risk 0.28cvss 4.3epss 0.00
When a user explicitly requested Thunderbird to decrypt an inline OpenPGP message that was embedded in a text section of an email that was formatted and styled with HTML and CSS, then the decrypted contents were rendered in a context in which the CSS styles from the outer…
- risk 0.28cvss 4.3epss 0.00
Clickjacking issue, information disclosure in the PDF Viewer component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.
- risk 0.28cvss 4.3epss 0.00
A crafted URL using a blob: URI could have hidden the true origin of the page, resulting in a potential spoofing attack. *Note: This issue only affected Android operating systems. Other operating systems are unaffected.*. This vulnerability was fixed in Firefox 141.
- risk 0.28cvss 4.3epss 0.00
The exception page for the HTTPS-Only feature, displayed when a website is opened via HTTP, lacked an anti-clickjacking delay, potentially allowing an attacker to trick a user into granting an exception and loading a webpage over HTTP. This vulnerability was fixed in Firefox 140…
- risk 0.28cvss 4.3epss 0.00
When a URL was provided in a link querystring parameter, Firefox for Android would follow that URL instead of the correct URL, potentially leading to phishing attacks. *This bug only affects Firefox for Android. Other versions of Firefox are unaffected.*. This vulnerability was…
- risk 0.28cvss 4.3epss 0.00
Script elements loading cross-origin resources generated load and error events which leaked information enabling XS-Leaks attacks. This vulnerability was fixed in Firefox 139, Firefox ESR 128.11, Thunderbird 139, and Thunderbird 128.11.
- risk 0.28cvss 4.3epss 0.00
Error handling for script execution was incorrectly isolated from web content, which could have allowed cross-origin leak attacks. This vulnerability was fixed in Firefox 139, Firefox ESR 115.24, Firefox ESR 128.11, Thunderbird 139, and Thunderbird 128.11.
- risk 0.28cvss 4.3epss 0.00
Opening maliciously-crafted URLs in Firefox from other apps such as Safari could have allowed attackers to spoof website addresses if the URLs utilized non-HTTP schemes used internally by the Firefox iOS client. This vulnerability was fixed in Firefox for iOS 139.
- risk 0.28cvss 4.3epss 0.00
Scanning certain QR codes that included text with a website URL could allow the URL to be opened without presenting the user with a confirmation alert first. This vulnerability was fixed in Firefox for iOS 136.
- risk 0.28cvss 4.3epss 0.00
Websites redirecting to a non-HTTP scheme URL could allow a website address to be spoofed for a malicious page. This vulnerability was fixed in Firefox for iOS 136.
- risk 0.28cvss 4.3epss 0.00
A web page could trick a user into setting that site as the default handler for a custom URL protocol. This vulnerability was fixed in Firefox 136, Firefox ESR 128.8, Thunderbird 136, and Thunderbird 128.8.
- risk 0.28cvss 4.3epss 0.00
The z-order of the browser windows could be manipulated to hide the fullscreen notification. This could potentially be leveraged to perform a spoofing attack. This vulnerability was fixed in Firefox 135 and Thunderbird 135.
- risk 0.28cvss 4.3epss 0.00
Opening Javascript links in a new tab via long-press in the Firefox iOS client could result in a malicious script spoofing the URL of the new tab. This vulnerability was fixed in Firefox for iOS 134.
- risk 0.28cvss 4.3epss 0.00
A phishing site could have repurposed an `about:` dialog to show phishing content with an incorrect origin in the address bar. This vulnerability affects Firefox < 122 and Thunderbird < 115.7.
- risk 0.28cvss 4.3epss 0.00
A compromised content process could have updated the document URI. This could have allowed an attacker to set an arbitrary URI in the address bar or history. This vulnerability affects Firefox < 122.
- risk 0.28cvss 4.3epss 0.01
It was possible for certain browser prompts and dialogs to be activated or dismissed unintentionally by the user due to an incorrect timestamp used to prevent input after page load. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7.
- risk 0.28cvss 4.3epss 0.00
Under certain conditions, Firefox did not display a warning when a user attempted to navigate to a new protocol handler. This vulnerability affects Firefox < 121.
- risk 0.28cvss 4.3epss 0.00
Applications which spawn a Toast notification in a background thread may have obscured fullscreen notifications displayed by Firefox. *This issue only affects Android versions of Firefox and Firefox Focus.* This vulnerability affects Firefox < 121.
- risk 0.28cvss 4.3epss 0.00
In some instances, the user-agent would allow push requests which lacked a valid VAPID even though the push manager subscription defined one. This could allow empty messages to be sent from unauthorized parties. *This bug only affects Firefox on Android.* This vulnerability…
- risk 0.28cvss 4.3epss 0.01
Multiple NSS NIST curves were susceptible to a side-channel attack known as "Minerva". This attack could potentially allow an attacker to recover the private key. This vulnerability affects Firefox < 121.
- risk 0.28cvss 4.3epss 0.01
When processing a PGP/MIME payload that contains digitally signed text, the first paragraph of the text was never shown to the user. This is because the text was interpreted as a MIME message and the first paragraph was always treated as an email header section. A digitally…
- risk 0.28cvss 4.3epss 0.01
The signature of a digitally signed S/MIME email message may optionally specify the signature creation date and time. If present, Thunderbird did not compare the signature creation date with the message date and time, and displayed a valid signature despite a date or time…
- risk 0.28cvss 4.3epss 0.01
A malicious web site can enter fullscreen mode while simultaneously triggering a WebAuthn prompt. This could have obscured the fullscreen notification and could have been leveraged in a spoofing attack. This vulnerability affects Firefox < 119.
- risk 0.28cvss 4.3epss 0.01
A website could have obscured the full screen notification by using the file open dialog. This could have led to user confusion and possible spoofing attacks. *Note: This issue only affected macOS operating systems. Other operating systems are unaffected.* This vulnerability…
- risk 0.28cvss 4.3epss 0.01
A malicious installed WebExtension could open arbitrary URLs, which under the right circumstance could be leveraged to collect sensitive user data. This vulnerability affects Firefox < 119, Firefox ESR < 115.4, and Thunderbird < 115.4.1.
- risk 0.28cvss 4.3epss 0.01
It was possible for certain browser prompts and dialogs to be activated or dismissed unintentionally by the user due to an insufficient activation-delay. This vulnerability affects Firefox < 119, Firefox ESR < 115.4, and Thunderbird < 115.4.1.
- risk 0.28cvss 4.3epss 0.01
Excel `.xll` add-in files did not have a blocklist entry in Firefox's executable blocklist which allowed them to be downloaded without any warning of their potential harm. This vulnerability affects Firefox < 117, Firefox ESR < 102.15, Firefox ESR < 115.2, Thunderbird < 102.15,…
- risk 0.28cvss 4.3epss 0.01
An attacker could have positioned a `datalist` element to obscure the address bar. This vulnerability affects Firefox < 113, Firefox ESR < 102.11, and Thunderbird < 102.11.
- risk 0.28cvss 4.3epss 0.01
In multiple cases browser prompts could have been obscured by popups controlled by content. These could have led to potential user confusion and spoofing attacks. This vulnerability affects Firefox < 113, Firefox ESR < 102.11, and Thunderbird < 102.11.
- risk 0.28cvss 4.3epss 0.00
Under specific circumstances a WebExtension may have received a jar:file:/// URI instead of a moz-extension:/// URI during a load request. This leaked directory paths on the user's machine. This vulnerability affects Firefox for Android < 112, Firefox <…
- risk 0.28cvss 4.3epss 0.01
A website could have obscured the fullscreen notification by using a combination of window.open, fullscreen requests, window.name assignments, and setInterval calls. This could have led to user confusion and possible spoofing attacks. This…
- risk 0.28cvss 4.3epss 0.00
The fullscreen notification could have been hidden on Firefox for Android by using download popups, resulting in potential user confusion or spoofing attacks. *This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects…
- risk 0.28cvss 4.3epss 0.00
Under certain circumstances, a ServiceWorker's offline cache may have leaked to the file system when using private browsing mode. This vulnerability affects Firefox < 111.
- risk 0.28cvss 4.3epss 0.00
Android applications with unpatched vulnerabilities can be launched from a browser using Intents, exposing users to these vulnerabilities. Firefox will now confirm with users that they want to launch an external application before doing so. *This bug only affects Firefox for…
- risk 0.28cvss 4.3epss 0.00
By displaying a prompt with a long description, the fullscreen notification could have been hidden, resulting in potential user confusion or spoofing attacks. *This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects…
- risk 0.28cvss 4.3epss 0.01
By confusing the browser, the fullscreen notification could have been delayed or suppressed, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox < 108.
- risk 0.28cvss 4.3epss 0.00
Service Workers did not detect Private Browsing Mode correctly in all cases, which could have led to Service Workers being written to disk for websites visited in Private Browsing Mode. This would not have persisted them in a state where they would run again, but it would have…
- risk 0.28cvss 4.3epss 0.01
When receiving an HTML email that specified to load an iframe element from a remote location, a request to the remote document was sent. However, Thunderbird didn't display the document. This vulnerability affects Thunderbird < 102.2.1 and Thunderbird < 91.13.1.
- risk 0.28cvss 4.3epss 0.00
A website that had permission to access the microphone could record audio without the audio notification being shown. This bug does not allow the attacker to bypass the permission prompt - it only affects the notification shown once permission has been granted.*This bug…
Page 36 of 73