{"id":"MGASA-2022-0162","summary":"Updated firefox packages fix security vulnerability","details":"Documents in deeply-nested cross-origin browsing contexts could have obtained\npermissions granted to the top-level origin, bypassing the existing prompt and\nwrongfully inheriting the top-level permissions (CVE-2022-29909).\n\nFirefox did not properly protect against top-level navigations for an iframe\nsandbox with a policy relaxed through a keyword like\nallow-top-navigation-by-user-activation (CVE-2022-29911).\n\nRequests initiated through reader mode did not properly omit cookies with a\nSameSite attribute (CVE-2022-29912).\n\nWhen reusing existing popups Firefox would have allowed them to cover the\nfullscreen notification UI, which could have enabled browser spoofing attacks\n(CVE-2022-29914).\n\nFirefox behaved slightly differently for already known resources when loading\nCSS resources involving CSS variables. This could have been used to probe the\nbrowser history (CVE-2022-29916).\n\nMozilla developers Andrew McCreight, Gabriele Svelto, Tom Ritter and the\nMozilla Fuzzing Team reported memory safety bugs present in Firefox ESR 91.8.\nSome of these bugs showed evidence of memory corruption and we presume that\nwith enough effort some of these could have been exploited to run arbitrary\ncode (CVE-2022-29917).\n","modified":"2026-04-16T00:09:29.847948460Z","published":"2022-05-06T20:16:39Z","upstream":["CVE-2022-29909","CVE-2022-29911","CVE-2022-29912","CVE-2022-29914","CVE-2022-29916","CVE-2022-29917"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2022-0162.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=30367"},{"type":"WEB","url":"https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_78.html"},{"type":"ADVISORY","url":"https://www.mozilla.org/en-US/security/advisories/mfsa2022-17/"}],"affected":[{"package":{"name":"firefox","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/firefox?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"91.9.0-1.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2022-0162.json"}},{"package":{"name":"firefox-l10n","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/firefox-l10n?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"91.9.0-1.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2022-0162.json"}},{"package":{"name":"nss","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/nss?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.78.0-1.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2022-0162.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}