HTTP/2 302
via: 1.1 google, 1.1 varnish, 1.1 varnish
referrer-policy: strict-origin-when-cross-origin
cross-origin-opener-policy: same-origin
x-backend-server: bedrock-5bfdbb6f5f-6zbtt.gcp-us-west1
server: granian
x-content-type-options: nosniff
content-type: text/html; charset=utf-8
location: /en-US/security/advisories/mfsa2021-04/
strict-transport-security: max-age=31536000
accept-ranges: bytes
age: 0
date: Thu, 09 Oct 2025 21:25:35 GMT
x-served-by: cache-bom-vanm7210092-BOM, cache-bom-vanm7210034-BOM
x-cache: MISS, MISS
x-cache-hits: 0, 0
x-timer: S1760045136.551313,VS0,VE244
vary: Accept-Language
content-length: 0
HTTP/2 200
referrer-policy: strict-origin-when-cross-origin
cross-origin-opener-policy: same-origin
via: 1.1 google, 1.1 varnish, 1.1 varnish
x-backend-server: bedrock-5bfdbb6f5f-hwbrj.gcp-us-west1
strict-transport-security: max-age=31536000
content-language: en-US
expires: Thu, 09 Oct 2025 21:35:35 GMT
etag: "9701e7d4277540aa683740745b5b4972"
x-frame-options: DENY
x-clacks-overhead: GNU Terry Pratchett
cache-control: max-age=600
server: granian
content-security-policy-report-only: frame-src 'self' accounts.firefox.com js.stripe.com www.google-analytics.com www.googletagmanager.com www.youtube.com; default-src 'self' *.mozilla.org; form-action 'self' https://accounts.firefox.com/ https://basket.mozilla.org; img-src 'self' blog.mozilla.org data: images.ctfassets.net www.google-analytics.com www.googletagmanager.com www.mozilla.org; base-uri 'none'; script-src 'self' 'unsafe-eval' 'unsafe-inline' js.stripe.com s.ytimg.com tagmanager.google.com www.google-analytics.com www.googletagmanager.com www.mozilla.org www.youtube.com; upgrade-insecure-requests; frame-ancestors 'none'; object-src 'none'; connect-src 'self' https://accounts.firefox.com/ https://basket.mozilla.org o1069899.ingest.sentry.io o1069899.sentry.io region1.google-analytics.com www.google-analytics.com www.googletagmanager.com www.mozilla.org/submit/bedrock/; media-src 'self' assets.mozilla.net videos.cdn.mozilla.net www.mozilla.org; font-src 'self' www.mozilla.org; style-src 'self' www.mozilla.org
content-type: text/html; charset=utf-8
content-security-policy: frame-src 'self' accounts.firefox.com js.stripe.com www.google-analytics.com www.googletagmanager.com www.youtube.com; default-src 'self' *.mozilla.org; form-action 'self' https://accounts.firefox.com/ https://basket.mozilla.org; img-src 'self' blog.mozilla.org data: images.ctfassets.net www.google-analytics.com www.googletagmanager.com www.mozilla.org; base-uri 'none'; script-src 'self' 'unsafe-eval' 'unsafe-inline' js.stripe.com s.ytimg.com tagmanager.google.com www.google-analytics.com www.googletagmanager.com www.mozilla.org www.youtube.com; upgrade-insecure-requests; frame-ancestors 'none'; object-src 'none'; connect-src 'self' https://accounts.firefox.com/ https://basket.mozilla.org o1069899.ingest.sentry.io o1069899.sentry.io region1.google-analytics.com www.google-analytics.com www.googletagmanager.com www.mozilla.org/submit/bedrock/; media-src 'self' assets.mozilla.net videos.cdn.mozilla.net www.mozilla.org; font-src 'self' www.mozilla.org; style-src 'self' 'unsafe-inline' www.mozilla.org
x-content-type-options: nosniff
content-encoding: gzip
accept-ranges: bytes
age: 0
date: Thu, 09 Oct 2025 21:25:36 GMT
x-served-by: cache-bom-vanm7210033-BOM, cache-bom-vanm7210034-BOM
x-cache: MISS, MISS
x-cache-hits: 0, 0
x-timer: S1760045136.808470,VS0,VE451
vary: Accept-Encoding
content-length: 7971
Security Vulnerabilities fixed in Firefox ESR 78.7 — Mozilla
Help us improve your Mozilla experience
In addition to Cookies necessary for this site to function, we’d like your permission to set some additional Cookies to better understand your browsing needs and improve your experience. Rest assured — we value your privacy.
Accept All Additional Cookies
Reject All Additional Cookies
Cookie settings
Mozilla Foundation Security Advisory 2021-04
Security Vulnerabilities fixed in Firefox ESR 78.7
Announced
January 26, 2021
Impact
high Products
Firefox ESR
Fixed in
Reporter
Rob Wu
Impact
high
Description
If a user clicked into a specifically crafted PDF, the PDF reader could be confused into leaking cross-origin information, when said information is served as chunked data.
References
Reporter
Gary Kwong
Impact
high
Description
Using the new logical assignment operators in a JavaScript switch statement could have caused a type confusion, leading to a memory corruption and a potentially exploitable crash.
References
Reporter
Andrew Sutherland
Impact
moderate
Description
When a HTTPS page was embedded in a HTTP page, and there was a service worker registered for the former, the service worker could have intercepted the request for the secure page despite the iframe not being a secure context due to the (insecure) framing.
References
Reporter
Irvan Kurniawan
Impact
moderate
Description
Performing garbage collection on re-declared JavaScript variables resulted in a user-after-poison, and a potentially exploitable crash.
References
Reporter
Mozilla developers and community
Impact
high
Description
Mozilla developers Alexis Beingessner, Christian Holler, Andrew McCreight, Tyson Smith, Jon Coppeard, André Bargull, Jason Kratzer, Jesse Schwartzentruber, Steve Fink, Byron Campen reported memory safety bugs present in Firefox 84 and Firefox ESR 78.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
References
