Mozilla has patched three high-severity vulnerabilities with the release of Firefox 81 and Firefox Extended Support Release (ESR) 78.3. Some of the flaws could be exploited to run arbitrary code.
Two critical bugs (CVE-2020-15674 and CVE-2020-15673) were errors in the browser’s memory-safety protections, which prevent memory access issues like buffer overflows. CVE-2020-15674 was discovered in Firefox 80 and reported by Byron Campen and Christian Holler, while CVE-2020-15673 was found in Firefox 80 and Firefox ESR 78.2 and reported by Jason Kratzer.
“Some of these bugs showed evidence of memory corruption, and we presume that with enough effort some of these could have been exploited to run arbitrary code,” said Mozilla in a security advisory.
Mozilla classified these flaws as issues “that can be used to gather sensitive data from sites in other windows or inject data or code into those sites, requiring no more than normal browsing actions.”