Mozilla this week patched several high-severity vulnerabilities in its Firefox and Thunderbird products.
Firefox 104 — as well as Firefox ESR 91.13 and 102.2 — patches a high-severity address bar spoofing issue related to XSLT error handling. The flaw, tracked as CVE-2022-38472, could be exploited for phishing.
The latest Firefox release also resolves CVE-2022-38473, an issue related to cross-origin XSLT documents that could pose security and privacy risks.
“A cross-origin iframe referencing an XSLT document would inherit the parent domain’s permissions (such as microphone or camera access),” Mozilla explained in its advisory.
