MozillaFirefox-115.0-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:13037-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z MozillaFirefox-115.0-1.1 on GA media These are all security issues fixed in the MozillaFirefox-115.0-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-13037 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2023-3482/ SUSE CVE CVE-2023-3482 page https://www.suse.com/security/cve/CVE-2023-37201/ SUSE CVE CVE-2023-37201 page https://www.suse.com/security/cve/CVE-2023-37202/ SUSE CVE CVE-2023-37202 page https://www.suse.com/security/cve/CVE-2023-37203/ SUSE CVE CVE-2023-37203 page https://www.suse.com/security/cve/CVE-2023-37204/ SUSE CVE CVE-2023-37204 page https://www.suse.com/security/cve/CVE-2023-37205/ SUSE CVE CVE-2023-37205 page https://www.suse.com/security/cve/CVE-2023-37206/ SUSE CVE CVE-2023-37206 page https://www.suse.com/security/cve/CVE-2023-37207/ SUSE CVE CVE-2023-37207 page https://www.suse.com/security/cve/CVE-2023-37208/ SUSE CVE CVE-2023-37208 page https://www.suse.com/security/cve/CVE-2023-37209/ SUSE CVE CVE-2023-37209 page https://www.suse.com/security/cve/CVE-2023-37210/ SUSE CVE CVE-2023-37210 page https://www.suse.com/security/cve/CVE-2023-37211/ SUSE CVE CVE-2023-37211 page https://www.suse.com/security/cve/CVE-2023-37212/ SUSE CVE CVE-2023-37212 page openSUSE Tumbleweed MozillaFirefox-115.0-1.1 MozillaFirefox-branding-upstream-115.0-1.1 MozillaFirefox-devel-115.0-1.1 MozillaFirefox-translations-common-115.0-1.1 MozillaFirefox-translations-other-115.0-1.1 MozillaFirefox-115.0-1.1 as a component of openSUSE Tumbleweed MozillaFirefox-branding-upstream-115.0-1.1 as a component of openSUSE Tumbleweed MozillaFirefox-devel-115.0-1.1 as a component of openSUSE Tumbleweed MozillaFirefox-translations-common-115.0-1.1 as a component of openSUSE Tumbleweed MozillaFirefox-translations-other-115.0-1.1 as a component of openSUSE Tumbleweed When Firefox is configured to block storage of all cookies, it was still possible to store data in localstorage by using an iframe with a source of 'about:blank'. This could have led to malicious websites storing tracking data without permission. This vulnerability affects Firefox < 115. CVE-2023-3482 openSUSE Tumbleweed:MozillaFirefox-115.0-1.1 openSUSE Tumbleweed:MozillaFirefox-branding-upstream-115.0-1.1 openSUSE Tumbleweed:MozillaFirefox-devel-115.0-1.1 openSUSE Tumbleweed:MozillaFirefox-translations-common-115.0-1.1 openSUSE Tumbleweed:MozillaFirefox-translations-other-115.0-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-3482.html CVE-2023-3482 https://bugzilla.suse.com/1212438 SUSE Bug 1212438 An attacker could have triggered a use-after-free condition when creating a WebRTC connection over HTTPS. This vulnerability affects Firefox < 115, Firefox ESR < 102.13, and Thunderbird < 102.13. CVE-2023-37201 openSUSE Tumbleweed:MozillaFirefox-115.0-1.1 openSUSE Tumbleweed:MozillaFirefox-branding-upstream-115.0-1.1 openSUSE Tumbleweed:MozillaFirefox-devel-115.0-1.1 openSUSE Tumbleweed:MozillaFirefox-translations-common-115.0-1.1 openSUSE Tumbleweed:MozillaFirefox-translations-other-115.0-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-37201.html CVE-2023-37201 https://bugzilla.suse.com/1212438 SUSE Bug 1212438 Cross-compartment wrappers wrapping a scripted proxy could have caused objects from other compartments to be stored in the main compartment resulting in a use-after-free. This vulnerability affects Firefox < 115, Firefox ESR < 102.13, and Thunderbird < 102.13. CVE-2023-37202 openSUSE Tumbleweed:MozillaFirefox-115.0-1.1 openSUSE Tumbleweed:MozillaFirefox-branding-upstream-115.0-1.1 openSUSE Tumbleweed:MozillaFirefox-devel-115.0-1.1 openSUSE Tumbleweed:MozillaFirefox-translations-common-115.0-1.1 openSUSE Tumbleweed:MozillaFirefox-translations-other-115.0-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-37202.html CVE-2023-37202 https://bugzilla.suse.com/1212438 SUSE Bug 1212438 Insufficient validation in the Drag and Drop API in conjunction with social engineering, may have allowed an attacker to trick end-users into creating a shortcut to local system files. This could have been leveraged to execute arbitrary code. This vulnerability affects Firefox < 115. CVE-2023-37203 openSUSE Tumbleweed:MozillaFirefox-115.0-1.1 openSUSE Tumbleweed:MozillaFirefox-branding-upstream-115.0-1.1 openSUSE Tumbleweed:MozillaFirefox-devel-115.0-1.1 openSUSE Tumbleweed:MozillaFirefox-translations-common-115.0-1.1 openSUSE Tumbleweed:MozillaFirefox-translations-other-115.0-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-37203.html CVE-2023-37203 https://bugzilla.suse.com/1212438 SUSE Bug 1212438 A website could have obscured the fullscreen notification by using an option element by introducing lag via an expensive computational function. This could have led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 115. CVE-2023-37204 openSUSE Tumbleweed:MozillaFirefox-115.0-1.1 openSUSE Tumbleweed:MozillaFirefox-branding-upstream-115.0-1.1 openSUSE Tumbleweed:MozillaFirefox-devel-115.0-1.1 openSUSE Tumbleweed:MozillaFirefox-translations-common-115.0-1.1 openSUSE Tumbleweed:MozillaFirefox-translations-other-115.0-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-37204.html CVE-2023-37204 https://bugzilla.suse.com/1212438 SUSE Bug 1212438 The use of RTL Arabic characters in the address bar may have allowed for URL spoofing. This vulnerability affects Firefox < 115. CVE-2023-37205 openSUSE Tumbleweed:MozillaFirefox-115.0-1.1 openSUSE Tumbleweed:MozillaFirefox-branding-upstream-115.0-1.1 openSUSE Tumbleweed:MozillaFirefox-devel-115.0-1.1 openSUSE Tumbleweed:MozillaFirefox-translations-common-115.0-1.1 openSUSE Tumbleweed:MozillaFirefox-translations-other-115.0-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-37205.html CVE-2023-37205 https://bugzilla.suse.com/1212438 SUSE Bug 1212438 Uploading files which contain symlinks may have allowed an attacker to trick a user into submitting sensitive data to a malicious website. This vulnerability affects Firefox < 115. CVE-2023-37206 openSUSE Tumbleweed:MozillaFirefox-115.0-1.1 openSUSE Tumbleweed:MozillaFirefox-branding-upstream-115.0-1.1 openSUSE Tumbleweed:MozillaFirefox-devel-115.0-1.1 openSUSE Tumbleweed:MozillaFirefox-translations-common-115.0-1.1 openSUSE Tumbleweed:MozillaFirefox-translations-other-115.0-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-37206.html CVE-2023-37206 https://bugzilla.suse.com/1212438 SUSE Bug 1212438 A website could have obscured the fullscreen notification by using a URL with a scheme handled by an external program, such as a mailto URL. This could have led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 115, Firefox ESR < 102.13, and Thunderbird < 102.13. CVE-2023-37207 openSUSE Tumbleweed:MozillaFirefox-115.0-1.1 openSUSE Tumbleweed:MozillaFirefox-branding-upstream-115.0-1.1 openSUSE Tumbleweed:MozillaFirefox-devel-115.0-1.1 openSUSE Tumbleweed:MozillaFirefox-translations-common-115.0-1.1 openSUSE Tumbleweed:MozillaFirefox-translations-other-115.0-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-37207.html CVE-2023-37207 https://bugzilla.suse.com/1212438 SUSE Bug 1212438 When opening Diagcab files, Firefox did not warn the user that these files may contain malicious code. This vulnerability affects Firefox < 115, Firefox ESR < 102.13, and Thunderbird < 102.13. CVE-2023-37208 openSUSE Tumbleweed:MozillaFirefox-115.0-1.1 openSUSE Tumbleweed:MozillaFirefox-branding-upstream-115.0-1.1 openSUSE Tumbleweed:MozillaFirefox-devel-115.0-1.1 openSUSE Tumbleweed:MozillaFirefox-translations-common-115.0-1.1 openSUSE Tumbleweed:MozillaFirefox-translations-other-115.0-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-37208.html CVE-2023-37208 https://bugzilla.suse.com/1212438 SUSE Bug 1212438 A use-after-free condition existed in `NotifyOnHistoryReload` where a `LoadingSessionHistoryEntry` object was freed and a reference to that object remained. This resulted in a potentially exploitable condition when the reference to that object was later reused. This vulnerability affects Firefox < 115. CVE-2023-37209 openSUSE Tumbleweed:MozillaFirefox-115.0-1.1 openSUSE Tumbleweed:MozillaFirefox-branding-upstream-115.0-1.1 openSUSE Tumbleweed:MozillaFirefox-devel-115.0-1.1 openSUSE Tumbleweed:MozillaFirefox-translations-common-115.0-1.1 openSUSE Tumbleweed:MozillaFirefox-translations-other-115.0-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-37209.html CVE-2023-37209 https://bugzilla.suse.com/1212438 SUSE Bug 1212438 A website could prevent a user from exiting full-screen mode via alert and prompt calls. This could lead to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 115. CVE-2023-37210 openSUSE Tumbleweed:MozillaFirefox-115.0-1.1 openSUSE Tumbleweed:MozillaFirefox-branding-upstream-115.0-1.1 openSUSE Tumbleweed:MozillaFirefox-devel-115.0-1.1 openSUSE Tumbleweed:MozillaFirefox-translations-common-115.0-1.1 openSUSE Tumbleweed:MozillaFirefox-translations-other-115.0-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-37210.html CVE-2023-37210 https://bugzilla.suse.com/1212438 SUSE Bug 1212438 Memory safety bugs present in Firefox 114, Firefox ESR 102.12, and Thunderbird 102.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 115, Firefox ESR < 102.13, and Thunderbird < 102.13. CVE-2023-37211 openSUSE Tumbleweed:MozillaFirefox-115.0-1.1 openSUSE Tumbleweed:MozillaFirefox-branding-upstream-115.0-1.1 openSUSE Tumbleweed:MozillaFirefox-devel-115.0-1.1 openSUSE Tumbleweed:MozillaFirefox-translations-common-115.0-1.1 openSUSE Tumbleweed:MozillaFirefox-translations-other-115.0-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-37211.html CVE-2023-37211 https://bugzilla.suse.com/1212438 SUSE Bug 1212438 Memory safety bugs present in Firefox 114. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 115. CVE-2023-37212 openSUSE Tumbleweed:MozillaFirefox-115.0-1.1 openSUSE Tumbleweed:MozillaFirefox-branding-upstream-115.0-1.1 openSUSE Tumbleweed:MozillaFirefox-devel-115.0-1.1 openSUSE Tumbleweed:MozillaFirefox-translations-common-115.0-1.1 openSUSE Tumbleweed:MozillaFirefox-translations-other-115.0-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-37212.html CVE-2023-37212 https://bugzilla.suse.com/1212438 SUSE Bug 1212438