Mozilla logo on a building

Update Firefox and Thunderbird now! Mozilla patches several high risk vulnerabilities

Mozilla has released security updates to address vulnerabilities in Firefox, Firefox ESR, and Thunderbird. An attacker could exploit some of these vulnerabilities to take control of an affected system.

In Firefox 105 a total of seven vulnerabilities were patched, three of which received the security risk rating “high”. In Thunderbird three security vulnerabilities were patched. One with the rating “high” risk.

Security advisories were published for Firefox 105, Firefox ESR 102.3, and Thunderbird 91.13.1. Firefox 105 is the browser most Mozilla users will have on their system. Firefox Extended Support Release (ESR) is an official version of Firefox developed for large organizations that need to set up and maintain Firefox on a large scale. Thunderbird is Mozilla’s free email application.

How to update

To find out which version you are using on a Windows machine, open the application menu and click on Help > About. On a Mac, look at the top menu and click Firefox > About Firefox. This will show which version you currently have and whether an update is available. On Android use the My apps & games item in the PlayStore side-menu and find Firefox Browser in the list. Use the Update button next to it.

Firefox downloading update

Downloading available update screen Firefox

The screens and the way to access them are largely the same for all Mozilla programs, including Thunderbird.

Once you’ve updated, you’re protected against these vulnerabilities.

Stay safe everyone!

The technical details

Firefox vulnerabilities

CVE-2022-40959: (High) Bypassing FeaturePolicy restrictions on transient pages. During iframe navigation, certain pages didn’t have their FeaturePolicy fully initialized leading to a bypass that leaked device permissions into untrusted subdocuments. The HTTP Feature-Policy header provides a mechanism to allow and deny the use of browser features in its own frame, and in content within any iframe elements in the document.

CVE-2022-40960: (High) Data-race when parsing non-UTF-8 URLs in threads. Concurrent use of the URL parser with non-UTF-8 data was not thread-safe. This could lead to a use-after-free causing a potentially exploitable crash. UTF-8 is an encoding system for Unicode characters. It can translate any Unicode character into a matching unique binary string. A non-UTF-8 character is a sequence of bytes that is not a valid UTF-8 character. Since UTF-8 as character encoding was introduced in 2005, there may be still some URLs which use a different encoding. Or they could be constructed to exploit this vulnerability.

CVE-2022-40962: (High )Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3. These bugs were found by Mozilla developers and the Mozilla Fuzzing Team. Some of these bugs showed evidence of memory corruption and it is likely that with enough effort some of these could have been exploited to run arbitrary code.

CVE-2022-40958: (Moderate) Bypassing Secure Context restriction for cookies with __Host and __Secure prefix. By injecting a cookie with certain special characters, an attacker on a shared subdomain which is not a secure context could set and thus overwrite cookies from a secure context, leading to session fixation and other attacks. In a session fixation attack, the attacker already has access to a valid session and tries to force the victim to use that particular session for his or her own purposes. In such a case the attack is initiated before the user logs in and the session fixation attack fixes an established session on the victim’s browser.

CVE-2022-40961: (Moderate) Stack-buffer overflow when initializing Graphics. During startup, a graphics driver with an unexpected name could lead to a stack-buffer overflow causing a potentially exploitable crash. This issue only affects Firefox for Android. Other operating systems are not affected.

CVE-2022-40956: (Low) Content-Security-Policy (CSP) base-uri bypass. When injecting an HTML base element, some requests would ignore the CSP’s base-uri settings and accept the injected element’s base instead. The HTTP CSP base-uri directive restricts the URLs which can be used in a document’s element.

CVE-2022-40957: (Low) Incoherent instruction cache when building WASM on ARM64. Inconsistent data in instruction and data cache when creating wasm code could lead to a potentially exploitable crash. Wasm is designed as a portable compilation target for programming languages, enabling deployment on the web for client and server applications. This bug only affects Firefox on ARM64 platforms. ARM64 is the architecture used by newer Macs built on Apple Silicon, shipped in late 2020 and beyond.


CVE-2022-3033: (High) Leaking of sensitive information when composing a response to an HTML email with a META refresh tag. If a Thunderbird user replied to a crafted HTML email containing a meta tag, with the meta tag having the http-equiv=”refresh” attribute, and the content attribute specifying an URL, then Thunderbird started a network request to that URL, regardless of the configuration to block remote content. In combination with certain other HTML elements and attributes in the email, it was possible to execute JavaScript code included in the message in the context of the message compose document. This bug doesn’t affect Thunderbird users who have changed the default Message Body display setting to ‘simple html’ or ‘plain text’.

CVE-2022-3032: (Moderate) When receiving an HTML email that contained an iframe element, which used a srcdoc attribute to define the inner HTML document, remote objects specified in the nested document, for example images or videos, were not blocked. Rather, the network was accessed, the objects were loaded and displayed.

CVE-2022-3034: (Moderate) An iframe element in an HTML email could trigger a network request. When receiving an HTML email that specified to load an iframe element from a remote location, a request to the remote document was sent. However, Thunderbird didn’t display the document.


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.