Mozilla Firefox 120

Mozilla Firefox has rolled out version 120, addressing a total of 10 vulnerabilities, including six categorized as 'High Severity,' along with two moderate and low severity issues.

Key Highlights of Changes to Firefox 120

The update introduces a Global Privacy Control setting.
Users now have the option to import data from Chromium Snap.
A new feature allows users to copy links without including site tracking information.
The Picture-in-Picture mode on Windows and Linux now supports corner snapping.
The release includes the addition of a new feature in the Developer Tools.
TLS trust anchors can now be imported.
Improvements have been made in private windows and the ETP-Strict privacy configuration.

High Severity Flaws Addressed

There were several high-severity issues that were reported upon testing and are now fixed. They are:

CVE-2023-6204

This vulnerability allowed for an out-of-bounds read and memory data leakage into images created on the canvas element. Reported by JSec of Hayyim Security.

CVE-2023-6205

The bug permitted the use of a MessagePort after it had been freed, potentially leading to an exploitable crash. Reported by Yangkang of the 360 ATA Team.

CVE-2023-6206

This issue involved a black fade animation during exit from fullscreen, potentially leading to clickjacking. Reported by Hafiizh.

CVE-2023-6207

A Use-after-free in ReadableByteStreamQueueEntry::Buffer was fixed. Reported by Yangkang of the 360 ATA Team.

CVE-2023-6212

A memory safety bug was fixed in Firefox 120, ESR 115.5, and Thunderbird 115.5.

CVE-2023-6213

Firefox 120 has addressed memory safety issues, which is the flaw identified as CVE-2023-6213. Developers for Mozilla reported both of the bugs with high severity.

In addition, memory safety issues were addressed, and developers at Mozilla reported evidence of memory corruption. There's a presumption that with sufficient effort, some of these could have been exploited to run arbitrary code.