The Indian Computer Emergency Response Team (CERT-In) has issued a critical warning to users of Mozilla products, alerting them to a series of vulnerabilities that could expose their devices to hacking threats. The vulnerabilities, collectively identified as CERT-In Vulnerability Note CIVN-2023-0348, pose a significant risk to the security and functionality of impacted devices.
CERT-In’s security note reveals that the highlighted vulnerabilities arise from various coding flaws that could permit attackers to seize control of devices, pilfer sensitive data, or disrupt normal operations. The identified vulnerabilities encompass:
1. Out-of-bound memory access in WebGL2 blitFramebuffer: This flaw could lead to crashes in affected browsers or the execution of arbitrary code.
2. Use-after-free vulnerabilities in MessagePort::Entangled and ReadableByteStreamQueueEntry::Buffer: These vulnerabilities could allow attackers to manipulate memory and potentially gain unauthorized access to sensitive information.
3. Clickjacking permission prompts using the fullscreen transition: This issue could enable attackers to deceive users into granting permission for malicious websites to access sensitive information or perform actions without consent.
4. Selection API copying contents into X11 primary selection: This vulnerability could empower attackers to pilfer sensitive information copied to the clipboard.
5. Incorrect parsing of relative URLs starting with “III”: This flaw could allow attackers to redirect users to malicious websites or bypass security measures.
6. Mixed-content resources not blocked in a javascript: pop-up: This vulnerability could permit attackers to load insecure content on websites, potentially compromising user security.
7. Clickjacking to load insecure pages in HTTPS-only mode: This issue could enable attackers to bypass HTTPS security and load malicious content on websites.
8. Memory safety bugs: These bugs could allow attackers to crash affected browsers or execute arbitrary code.
