This Red Hat security advisory (RHSA-2024:8723) addresses a set of ten vulnerabilities in Mozilla Firefox and Thunderbird, including CVE-2024-10458 (permission leak via embed or object elements), CVE-2024-10459 (use-after-free in layout with accessibility), CVE-2024-10460 (confusing display of origin for external protocol handler prompt), CVE-2024-10461 (XSS due to Content-Disposition being ignored), CVE-2024-10462 (origin of permission prompt spoofed by long URL), CVE-2024-10463 (cross origin video frame leak), CVE-2024-10464 (history interface causing denial of service), CVE-2024-10465 (clipboard paste button persisted across tabs), CVE-2024-10466 (DOM push subscription message could hang Firefox), and CVE-2024-10467 (memory safety bugs). The fixes are included in Firefox 132, Thunderbird 132, Firefox ESR 128.4, and Thunderbird 128.4 packages provided by Red Hat for various RHEL 8.4 variants. The advisory rates the impact as moderate and references detailed CVE pages for individual vulnerability severity and impact.

The vulnerabilities collectively could allow denial of service conditions, cross-site scripting attacks, permission leaks, use-after-free memory corruption, UI spoofing, and memory safety issues in Firefox and Thunderbird. These issues may affect browser stability, security boundary enforcement, and user interface integrity. Red Hat rates the overall security impact as moderate. There are no known exploits in the wild at the time of this advisory.

Red Hat has released updated Firefox and Thunderbird packages (version 128.4.0-1.el8_4) for Red Hat Enterprise Linux 8.4 variants that address these vulnerabilities. Users should apply these official updates promptly to remediate the issues. For detailed update instructions, refer to the Red Hat advisory at https://access.redhat.com/articles/11258. Since this is an on-premises product, remediation requires applying the vendor-provided patches. No additional mitigations are specified in the advisory.