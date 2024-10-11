CERT-In alerts users about multiple vulnerabilities in Mozilla Firefox and Thunderbird, affecting earlier versions. These flaws could allow remote code execution. Mozilla has responded with an urgent update for Firefox to mitigate a serious zero-day vulnerability.

Computer Emergency Response Team (CERT-In), the cyber security watchdog under the Ministry of Electronics and Information Technology (MeitY), has issued a high severity warning for Mozilla Firefox and Mozilla Thunderbird. The alert states that multiple vulnerabilities have been found on Mozilla products that could be used by an attacker in order to executed an arbitrary code on the user's system.

As per CERT-In, the vulnerabilities affect Mozilla Firefox versions prior to Firefox 131, Firefox ESR version 128.3 and 115,16 and Firefox Thunderbird versions perior to 128.3 and 131.

Revealing the behind the vulnerabilities, CERT-In noted, "These vulnerabilities exist in Mozilla Firefox due to Prevention of users from exiting full-screen mode in Firefox Focus for Android; Bypass of site isolation by Compromised content process; Cross-origin access to PDF and JSON contents through multipart responses; Obscuring of download type through Specially crafted filename; Potential memory corruption through cloning certain objects; Potential directory upload bypass via clickjacking; Enumeration of External protocol handlers via popups; Denial of service through Specially crafted request; Potential memory corruption during JIT compilation and Memory safety bugs"

Concerningly, the agency noted that these vulnerabilities could be exploited by a remote attacker to convince a victim to open a specially crafted web request.

Mozilla accepts vulnerabilities with Firefox: Meanwhile, Mozilla also rolled out an emergency update to fix its zero day vulnerability with the Firefox 131.0.2 update. In a security advisory report on its website, Mozilla said that the vulnerability was related to use after free CSS animations which could be used by a cybercriminal to execute malicious code on the user's system.

