Mozilla has announced the release of Firefox 115, a stable channel update that addresses a dozen vulnerabilities, including two high-severity use-after-free bugs. The first vulnerability, CVE-2023-37201, involves a use-after-free flaw in WebRTC certificate generation, which could be exploited when creating a WebRTC connection over HTTPS.
The second vulnerability, CVE-2023-37202, pertains to a potential use-after-free issue in the SpiderMonkey JavaScript and WebAssembly engine, caused by a compartment mismatch.
In addition to these high-severity vulnerabilities, the Firefox update tackles memory safety bugs that had the potential to execute arbitrary code. These flaws are collectively identified as CVE-2023-37211 and CVE-2023-37212.
Furthermore, Firefox 115 includes patches for eight medium-severity vulnerabilities that could lead to various security risks, such as unauthorized tracking, arbitrary code execution, spoofing attacks, URL spoofing, download of files containing malicious code, use-after-free conditions, and the tricking of users into submitting sensitive data to malicious sites.
Mozilla also announced the release of Firefox ESR 102.13 and Thunderbird 102.13, both equipped with patches for five vulnerabilities, including the high-severity use-after-free and memory safety bugs that were addressed in Firefox 115.
Detailed information regarding the resolved vulnerabilities can be found on Mozilla’s security advisories page. Users are strongly advised to update their browsers and email clients to the latest versions to mitigate these security risks.
