This Red Hat security advisory addresses a set of vulnerabilities in Mozilla Firefox and Thunderbird, including CVE-2024-10458 (permission leak via embed or object elements), CVE-2024-10459 (use-after-free in layout with accessibility), CVE-2024-10460 (confusing display of origin for external protocol handler prompt), CVE-2024-10461 (XSS due to Content-Disposition being ignored), CVE-2024-10462 (origin spoofing of permission prompt by long URL), CVE-2024-10463 (cross-origin video frame leak), CVE-2024-10464 (denial of service via history interface), CVE-2024-10465 (clipboard paste button persisted across tabs), CVE-2024-10466 (DOM push subscription message hang), and CVE-2024-10467 (memory safety bugs). These vulnerabilities have been fixed in Firefox 132, Thunderbird 132, Firefox ESR 128.4, and Thunderbird 128.4 packages provided by Red Hat for Enterprise Linux 8 on multiple architectures. The advisory rates the security impact as moderate and provides links to updated packages and instructions for applying the update.

The vulnerabilities collectively could allow denial of service conditions, cross-site scripting attacks, permission leaks, use-after-free memory corruption, memory safety issues, UI spoofing, and potential hangs in Firefox or Thunderbird. These issues could impact browser stability, security prompts, and user privacy. However, there are no reports of known exploits in the wild. The overall security impact is rated moderate by Red Hat.

A security update is available from Red Hat for Red Hat Enterprise Linux 8 that addresses these vulnerabilities. Users should apply the Firefox and Thunderbird updates to versions Firefox 132, Thunderbird 132, Firefox ESR 128.4, and Thunderbird 128.4 as provided in the advisory. For detailed update instructions, refer to the Red Hat advisory at https://access.redhat.com/articles/11258. No additional mitigation steps are indicated beyond applying the official update.