Mozilla: >> Firefox >> 127.0.2 Security Vulnerabilities
Firefox Android allowed immediate interaction with permission prompts. This could be used for tapjacking. This vulnerability affects Firefox < 128.
CVSS Score
8.8
EPSS Score
0.004
Published
2024-07-09
Clipboard code failed to check the index on an array access. This could have led to an out-of-bounds read. This vulnerability affects Firefox < 128 and Thunderbird < 128.
CVSS Score
8.2
EPSS Score
0.001
Published
2024-07-09
It was possible to prevent a user from exiting pointerlock when pressing escape and to overlay customValidity notifications from a `<select>` element over certain permission prompts. This could be used to confuse a user into giving a site unintended permissions. This vulnerability affects Firefox < 128 and Thunderbird < 128.
CVSS Score
8.8
EPSS Score
0.007
Published
2024-07-09
It was possible to move the cursor using pointerlock from an iframe. This allowed moving the cursor outside of the viewport and the Firefox window. This vulnerability affects Firefox < 128 and Thunderbird < 128.
CVSS Score
4.3
EPSS Score
0.001
Published
2024-07-09
When almost out-of-memory an elliptic curve key which was never allocated could have been freed again. This vulnerability affects Firefox < 128 and Thunderbird < 128.
CVSS Score
8.8
EPSS Score
0.005
Published
2024-07-09
Form validation popups could capture escape key presses. Therefore, spamming form validation messages could be used to prevent users from exiting full-screen mode. This vulnerability affects Firefox < 128 and Thunderbird < 128.
CVSS Score
4.3
EPSS Score
0.001
Published
2024-07-09
The HTTP/2 protocol does not consider the role of the TCP congestion window in providing information about content length, which makes it easier for remote attackers to obtain cleartext data by leveraging a web-browser configuration in which third-party cookies are sent, aka a "HEIST" attack.
CVSS Score
5.3
EPSS Score
0.023
Published
2016-09-06
The HTTPS protocol does not consider the role of the TCP congestion window in providing information about content length, which makes it easier for remote attackers to obtain cleartext data by leveraging a web-browser configuration in which third-party cookies are sent, aka a "HEIST" attack.
CVSS Score
5.3
EPSS Score
0.023
Published
2016-09-06
Cross-site scripting (XSS) vulnerability in clickstream.js in Y! Toolbar plugin for FireFox 3.1.0.20130813024103 for Mac, and 2.5.9.2013418100420 for Windows, allows remote attackers to inject arbitrary web script or HTML via a crafted URL that is stored by the victim.
CVSS Score
4.3
EPSS Score
0.003
Published
2014-01-26
Unspecified vulnerability in Oracle Java SE 6u65 and Java SE 7u45, when running on Firefox, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment.
CVSS Score
7.6
EPSS Score
0.06
Published
2014-01-15