You are using an out of date browser. It may not display this or other websites correctly. You should upgrade or use an alternative browser.
firefox security
About this tag
The Firefox security tag covers discussions about vulnerabilities and security fixes in the Firefox browser and related Mozilla products like Thunderbird. Recent threads detail specific CVEs including CVE-2024-6611, a SameSite cookie bug in nested iframes that could leak cookies; CVE-2023-37203, a drag-and-drop flaw enabling arbitrary code execution; CVE-2024-4773, a UI spoofing issue; and memory safety bugs fixed in Firefox 126 (MFSA2024-21). Topics include technical analysis of each flaw, affected versions, patch releases, and mitigation advice for users and administrators. The tag is relevant for anyone tracking browser security updates, understanding real-world attack vectors, or managing Firefox deployments in enterprise environments.
A subtle bug in how Firefox and Thunderbird handled cross-site navigations inside nested iframes allowed browsers to incorrectly include SameSite=Strict or SameSite=Lax cookies in situations where they should have been withheld, creating a window for cookie leakage and session abuse. The issue...
A relatively obscure browser interaction — dragging and dropping content — turned into a tangible security risk when Mozilla disclosed CVE-2023-37203: an insufficient validation flaw in the Drag and Drop API that, when combined with social engineering, could trick users into creating shortcuts...
Firefox 125 contained multiple memory-safety defects that Mozilla’s fuzzing team judged serious enough to potentially allow arbitrary code execution; the issues were fixed in Firefox 126 (MFSA2024-21), and any installation running Firefox < 126 (including affected ESR/Thunderbird builds) should...
When a Firefox user encountered a network error while loading a page, the browser could leave the previous page’s content visible while showing an empty address bar — a confusing state that attackers could use to hide the real destination and attempt a spoofing attack. The bug, tracked as...