Firefox 101.0 and 91.10esr released – with security fixes

[German]Mozilla developers have released versions 101.0 and 91.10esr of the Firefox browser on May 31, 2022. These are maintenance updates, which fix bugs critical vulnerabilities.

According to the release notes, the May 31, 2022 update brings the following new features to Firefox 101.0:

• Reading is now easier with the media query prefers-contrast. The option allows websites to detect whether the user has requested web content to be displayed with a higher (or lower) contrast.
• All unconfigured MIME types can now be assigned a custom action after the download is complete.
• Firefox now allows users to use as many microphones as desired at the same time during video conferences. It is possible to switch between microphones at any time (if the conferencing service provider allows this flexibility).

Several bug fixes and new policies have been implemented in the latest version of Firefox. For more information, see the Firefox for Business 101 release notes. There are also some minor new features for developers. 

In addition, the following security fixes (for Firefox 101.0 and also for the and 91.10esr) are rolled out with the update.

• CVE-2022-31736: Cross-Origin resource's length leaked: Severity High; A malicious website may have learned the size of a cross-origin resource that supports range requests.
• CVE-2022-31737: Heap buffer overflow in WebGL: Severity High; A malicious website could cause an out-of-bounds write in WebGL, resulting in memory corruption and a potentially exploitable crash.
• CVE-2022-31738: Browser window spoof using fullscreen mode: Severity High; When exiting fullscreen mode, an iframe could confuse the browser about the current state of fullscreen mode, which could lead to user confusion or spoofing attacks.
• CVE-2022-31739: Attacker-influenced path traversal when saving downloaded files: Severity High; When downloading files on Windows, the % character was not escaped, which could cause a download to be incorrectly saved in attacker-influenced paths that used variables such as %HOMEPATH% or %APPDATA%. This flaw only affects Firefox for Windows.
• CVE-2022-31740: Register allocation problem in WASM on arm64: Severity High; On arm64, the WASM code could result in incorrect assembly generation, causing a register allocation problem and a potentially exploitable crash. 
• CVE-2022-31741: Uninitialized variable leads to invalid memory read: Severity High; A tampered CMS message could have been processed incorrectly, resulting in an invalid memory read and potentially further memory corruption.

Other vulnerabilities rated as medium severity are described here. The new Firefox and the ESR variants can be downloaded from this website for various platforms (the variant is to be selected via the displayed list boxes).