关键漏洞信息 CVE-2018-12391: HTTP Live Stream audio data is accessible cross-origin - Reporter: Jun Kokatsu - Impact: High - Description: During HTTP Live Stream playback on Firefox for Android, audio data can be accessed across origins in violation of security policies. CVE-2018-12392: Crash with nested event loops - Reporter: Nils - Impact: High - Description: When manipulating user events in nested loops while opening a document through script, it is possible to trigger a potentially exploitable crash. CVE-2018-12393: Integer overflow during Unicode conversion while loading JavaScript - Reporter: R at Zero Day LLC - Impact: High - Description: An integer overflow during the conversion of scripts to an internal UTF-16 representation, which could lead to a buffer too small for the conversion. CVE-2018-12395: WebExtension bypass of domain restrictions through header rewriting - Reporter: Rob Wu, Andrew Swan - Impact: Moderate - Description: By rewriting the Host request headers, a WebExtension can bypass domain restrictions. CVE-2018-12396: WebExtension content scripts can execute in disallowed contexts - Reporter: Rob Wu - Impact: Moderate - Description: A vulnerability where a WebExtension can run content scripts in disallowed contexts following navigation or other events. CVE-2018-12397: Missing warning prompt when WebExtension requests local file access - Reporter: Rob Wu - Impact: Moderate - Description: A WebExtension can request access to local files without a warning prompt, allowing extensions to run content scripts in local pages. CVE-2018-12389: Memory safety bugs fixed in Firefox ESR 60.3 - Reporter: Mozilla developers and community - Impact: Low - Description: Memory safety bugs present in Firefox ESR 60.2, some showing evidence of memory corruption. CVE-2018-12390: Memory safety bugs fixed in Firefox 63 and Firefox ESR 60.3 - Reporter: Mozilla developers and community - Impact: Critical - Description: Memory safety bugs present in Firefox 62 and Firefox ESR 60.2, some showing evidence of memory corruption that could be exploited to run arbitrary code.