"Firefox 115 Patches High-Severity Use-After-Free Vulnerabilities"

Mozilla recently announced the release of Firefox 115 to the stable channel with patches for a dozen vulnerabilities, including two high-severity use-after-free bugs.  The first high-severity issue is tracked as CVE-2023-37201 and is described as a use-after-free flaw in WebRTC certificate generation.  WebRTC is an open source project and enables real-time communication in web browsers and mobile applications via application programming interfaces (APIs).  Mozilla noted that an attacker could have triggered a use-after-free condition when creating a WebRTC connection over HTTPS.  The second high-severity vulnerability, CVE-2023-37202, is described as a potential use-after-free issue from compartment mismatch in the open source JavaScript and WebAssembly engine SpiderMonkey.  Mozilla stated that cross-compartment wrappers wrapping a scripted proxy could have caused objects from other compartments to be stored in the main compartment resulting in a use-after-free.  Mozilla noted that the latest Firefox update also addresses high-severity memory safety bugs that might have led to the execution of arbitrary code.  The flaws are collectively tracked as CVE-2023-37211 and CVE-2023-37212.  Firefox 115 also includes patches for eight medium-severity vulnerabilities leading to malicious sites placing trackers without permissions, arbitrary code execution, spoofing attacks, URL spoofing, download of files containing malicious code, use-after-free conditions, and tricking users into submitting sensitive data to malicious sites.  Recently, Mozilla also announced that Firefox ESR 102.13 and Thunderbird 102.13 were released with patches for five vulnerabilities, including the high-severity use-after-free and memory safety bugs that were addressed in Firefox 115.

SecurityWeek reports: "Firefox 115 Patches High-Severity Use-After-Free Vulnerabilities"