Mozilla Foundation Security Advisory 2023-14 Summary: Title: Security Vulnerabilities fixed in Firefox ESR 102.10 Announced: April 11, 2023 Impact: High Products: Firefox ESR Fixed in: Firefox ESR 102.10 Vulnerabilities: 1. CVE-2023-29531: Out-of-bound memory access in WebGL on macOS - Impact: High - Description: Out-of-bounds memory access using WebGL APIs, memory corruption, potentially exploitable crash. Only affects Firefox for macOS. 2. CVE-2023-29532: Mozilla Maintenance Service Write-lock bypass - Impact: High - Description: Local attacker can trick the Mozilla Maintenance Service into applying an unsigned update file. Only affects Windows. 3. CVE-2023-29533: Fullscreen notification obscured - Impact: High - Description: Website could obscure the fullscreen notification, leading to user confusion and possible spoofing attacks. 4. CVE-2023-1999: Double-free in libwebp - Impact: High - Description: Double-free could lead to memory corruption and a potentially exploitable crash. 5. CVE-2023-29535: Potential Memory Corruption following Garbage Collector compaction - Impact: High - Description: Weak maps accessed before correctly traced, leading to memory corruption and a potentially exploitable crash. 6. CVE-2023-29536: Invalid free from JavaScript code - Impact: High - Description: Incorrectly freed pointer could cause memory corruption and a potentially exploitable crash. 7. CVE-2023-29539: Content-Disposition filename truncation leads to Reflected File Download - Impact: Moderate - Description: Filename truncated if contained a NULL character, leading to reflected file download attacks. 8. CVE-2023-29541: Files with malicious extensions could have been downloaded unsafely on Linux - Impact: Moderate - Description: Firefox did not properly handle downloads of files, potentially running attacker-controlled commands. 9. CVE-2023-29542: Bypass of file download extension restrictions - Impact: Moderate - Description: Newline in filename could bypass file extension security mechanisms, leading to accidental execution of malicious code. 10. CVE-2023-29545: Windows Save As dialog resolved environment variables - Impact: Moderate - Description: Suggested filenames containing environment variables resolved in the context of the current user. 11. CVE-2023-1945: Memory Corruption in Safe Browsing Code - Impact: Moderate - Description: Unexpected data returned from the Safe Browsing API could lead to memory corruption and a potentially exploitable crash. 12. CVE-2023-29548: Incorrect optimization result on ARM64 - Impact: Low - Description: Wrong lowering instruction in the ARM64 Ion compiler led to a wrong optimization result. 13. CVE-2023-29550: Memory safety bugs fixed in Firefox 112 and Firefox ESR 102.10 - Impact: High - Description: Memory safety bugs showed evidence of memory corruption and could be exploited to run arbitrary code.