Mozilla Firefox users are receiving alerts regarding multiple vulnerabilities in the web browser by the Indian Computer Emergency Response Team (CERT-In). An advisory has also been issued in the regard asking the users to update their web browsers as soon as possible.
While rating the severity of the vulnerability as 'High' on all the versions of Mozilla Firefox that have been released before version 75 and version 68.7 on Mozilla Firefox ESR, the CERT-In stated in the advisory that remote hackers can take advantage of these browser flaws to acquire sensitive data through the browser.
According to the CERT-In advisory, “Out-of-Bounds Read Vulnerability in Mozilla Firefox ( CVE-2020-6821 ). This vulnerability exists in Mozilla Firefox due to a boundary condition when using the WebGLcopyTexSubImage method. A remote attacker could exploit this vulnerability by specially crafted web pages. Successful exploitation of this vulnerability could allow a remote attacker to disclose sensitive information,”
“Information Disclosure Vulnerability in Mozilla Firefox ( CVE-2020-6824). This vulnerability exists in Mozilla Firefox to generate a password for a site but leaves Firefox open.A remote attacker could exploit this vulnerability by revisiting the same site of the victim and generating a new password. The generated password will remain the same on the targeted system,” the advisory further reads.
The aforementioned vulnerability also allows the attacker to execute 'arbitrary code' on the targeted system, letting them run any chosen command onto it. As per sources, another flaw was also found to be existing in the internet browser that concerns with a boundary condition in GMP Decode Data as images exceeding 4GB are being processed on 32-bit builds. The exploitation of this flaw requires the attacker to trick users into opening specially designed images. Upon successful exploitation, the attacker can yet again execute arbitrary code on the targeted system.
Another way by which a remote attacker can take advantage of this exploit is by convincing a user to install a crafted extension, on doing so the attacker will be able to obtain sensitive information.