Red Hat Product Security issued an advisory (RHSA-2024:8720) for Mozilla Firefox and Thunderbird addressing ten security vulnerabilities (CVE-2024-10458 through CVE-2024-10467). The flaws include a permission leak via embed or object elements (CVE-2024-10458), use-after-free in layout with accessibility (CVE-2024-10459), XSS due to ignored Content-Disposition headers (CVE-2024-10461), denial of service via history interface (CVE-2024-10464), and memory safety bugs fixed in Firefox 132 and Thunderbird 132. The update also resolves issues such as clipboard paste button persistence across tabs, DOM push subscription message hangs, cross-origin video frame leaks, and spoofing of permission prompt origins. These vulnerabilities impact Firefox and Thunderbird packages distributed with Red Hat Enterprise Linux 9.2 Extended Update Support and related variants. The advisory provides updated packages to remediate these issues.

The vulnerabilities collectively could lead to denial of service conditions, cross-site scripting attacks, permission leaks, use-after-free memory corruption, memory safety issues, UI spoofing, and potential hangs in the browser. These issues may affect browser security and user privacy. The advisory rates the security impact as moderate. There are no known exploits in the wild at the time of the advisory.

Red Hat has released updated Firefox and Thunderbird packages for Red Hat Enterprise Linux 9.2 Extended Update Support and related variants that address these vulnerabilities. Users should apply the provided security updates as detailed in the Red Hat advisory RHSA-2024:8720. For update instructions, refer to https://access.redhat.com/articles/11258. Since official fixes are available, applying these updates is the recommended remediation.