Update now! Mozilla fixes security vulnerabilities in Firefox 94

In a security advisory, Mozilla’s announced that several security issues in its Firefox browser have been fixed. Several of these vulnerabilities were listed as having a high impact.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). We’ll discuss some of the CVEs fixed in this update below.

XSLT in an iFrame

Listed as CVE-2021-38503, it fixes an issue where the iframe sandbox rules were not correctly applied to XSLT stylesheets, allowing an iframe to bypass restrictions such as executing scripts or navigating the top-level frame. Attackers could handle manipulated XSLT stylesheets and be able to execute scripts or break out onto the main frame.

XSLT (Extensible Stylesheet Language Transformations) is a language for transforming XML documents into other XML documents, or other formats such as HTML for web pages, plain text or XSL Formatting Objects, which may subsequently be converted to other formats, such as PDF, PostScript and PNG.

Use-after-free in file picker dialog

The vulnerability listed under CVE-2021-38504 could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free in file picker dialog. By persuading a victim to visit a specially-crafted website, a remote attacker could create an interaction with an HTML input element’s file picker dialog with webkitdirectory set. Use after free (UAF) is a vulnerability due to incorrect use of dynamic memory during a program’s operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program.

Windows 10 Cloud Clipboard

The vulnerability listed under CVE-2021-38505 only applies for users of Firefox for Windows 10+ with Cloud Clipboard enabled. Applications that wish to prevent copied data from being recorded in Cloud History must use specific clipboard formats. Firefox versions before 94 and ESR 91.3 did not implement these formats. This could have caused sensitive data to be recorded to a user’s Microsoft account.

Unsolicited full screen mode

CVE-2021-38506 describes a vulnerability in which, through a series of navigations, Firefox could have entered full screen mode without notification or warning to the user. This could lead to spoofing attacks on the browser UI including phishing. This type of attack is particularly useful for Tech Support scammers because they can make the browser page look like a security warning or BSOD, and trick the user into calling a specific number.

Opportunistic Encryption in HTTP2

Listed as CVE-2021-38507, the Opportunistic Encryption feature of HTTP2 (RFC 8164) allows a connection to be transparently upgraded to TLS while retaining the visual properties of an HTTP connection, including being same-origin with unencrypted connections on port 80. However, if a second encrypted port on the same IP address (e.g. port 8443) doesn’t opt-in to opportunistic encryption, a network attacker could forward a connection from the browser to port 443 to port 8443, causing the browser to treat the content of port 8443 as same-origin with HTTP. This was resolved by disabling the Opportunistic Encryption feature, which had low usage.

QR code scan

The vulnerability listed under MOZ-2021-0003 does not have a CVE number assigned to it. The vulnerability only affects Firefox for Android. A Universal XSS vulnerability was present in Firefox for Android resulting from improper sanitization when processing a URL scanned from a QR code. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. QR codes are complicated barcodes that are popular among scammers. It’s advisable to use a QR scanner that checks or at least displays the URL before it follows the link.

Memory safety bugs

Several memory safety bugs were grouped under MOZ-2021-0007. Some of these bugs showed evidence of memory corruption and it was presumed that with enough effort some of these could have been exploited to run arbitrary code. These bugs were found by Mozilla developers and community members and have also been fixed in this update.

How to protect yourself

All of the issues listed above, and more, have been fixed in Firefox 94 and Firefox ESR 91.3. By default, Firefox updates automatically. You can always check for updates at any time, in which case an update is downloaded, but it is not installed until you restart Firefox.

  • Click the menu button, click Help and select About Firefox.
  • The About Mozilla Firefox window opens. Firefox will check for updates and, if an update is available, it will be downloaded automatically by default.

Stay safe, everyone!


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.