security@mozilla.org reports:
- Firefox adds web-compatibility shims in place of some
tracking scripts blocked by Enhanced Tracking Protection.
On a site protected by Content Security Policy in
"strict-dynamic" mode, an attacker able to
inject an HTML element could have used a DOM
Clobbering attack on some of the shims and achieved XSS,
bypassing the CSP strict-dynamic protection.
- Form validation popups could capture escape key presses.
Therefore, spamming form validation messages could be used
to prevent users from exiting full-screen mode.
- When almost out-of-memory an elliptic curve key which
was never allocated could have been freed again.
- It was possible to move the cursor using pointerlock
from an iframe. This allowed moving the cursor outside
of the viewport and the Firefox window.