This Red Hat security advisory addresses a set of ten vulnerabilities in Mozilla Firefox and Thunderbird, including CVE-2024-10458 (permission leak via embed or object elements), CVE-2024-10459 (use-after-free in layout with accessibility), CVE-2024-10460 (confusing display of origin for external protocol handler prompt), CVE-2024-10461 (XSS due to Content-Disposition being ignored), CVE-2024-10462 (origin of permission prompt spoofing by long URL), CVE-2024-10463 (cross origin video frame leak), CVE-2024-10464 (denial of service via history interface), CVE-2024-10465 (clipboard paste button persisted across tabs), CVE-2024-10466 (DOM push subscription message hang), and CVE-2024-10467 (memory safety bugs). These vulnerabilities affect Firefox and Thunderbird versions prior to Firefox 132, Thunderbird 132, Firefox ESR 128.4, and Thunderbird 128.4. The advisory provides fixes for these issues and recommends updating to the patched versions. No known exploits in the wild have been reported at the time of the advisory.

The vulnerabilities collectively could allow denial of service conditions, cross-site scripting attacks, permission leaks, use-after-free memory corruption, memory safety issues, UI spoofing, and potential hangs in the browser. These issues could impact the security and stability of Firefox and Thunderbird, potentially allowing attackers to disrupt service or bypass security controls related to permissions and content origin. The overall severity is rated as moderate by Red Hat.

Red Hat has released security updates for Firefox and Thunderbird in Red Hat Enterprise Linux 8.2 Advanced Update Support that address these vulnerabilities. Users should apply the provided updates to Firefox 132, Thunderbird 132, Firefox ESR 128.4, and Thunderbird 128.4 or later as detailed in the Red Hat advisory RHSA-2024:8724. For instructions on applying the update, refer to https://access.redhat.com/articles/11258. No additional mitigation steps are indicated beyond applying the official patches.