Red Hat Product Security issued advisory RHSA-2024:8722 for Mozilla Firefox and Thunderbird, fixing ten vulnerabilities (CVE-2024-10458 through CVE-2024-10467) that include denial of service via the history interface, cross-site scripting due to ignored Content-Disposition headers, permission leaks through embed or object elements, use-after-free in layout accessibility, memory safety bugs, clipboard persistence across tabs, DOM push subscription message hangs, cross-origin video frame leaks, spoofing of permission prompt origins by long URLs, and confusing origin display for external protocol handler prompts. These issues were resolved in Firefox 132, Thunderbird 132, Firefox ESR 128.4, and Thunderbird 128.4. The advisory covers Red Hat Enterprise Linux 8.8 Extended Update Support variants across multiple architectures. The update is rated moderate severity by Red Hat and addresses multiple CWE categories including CWE-280, CWE-416, CWE-79, CWE-120, among others.

The vulnerabilities collectively could lead to denial of service conditions, cross-site scripting attacks, permission leaks, use-after-free memory corruption, memory safety issues, UI spoofing, and potential browser hangs. These issues may affect the security and stability of Firefox and Thunderbird, potentially allowing attackers to disrupt service or bypass security prompts. The advisory does not report known exploits in the wild at this time.

Red Hat has released updated Firefox packages for Red Hat Enterprise Linux 8.8 Extended Update Support that address these vulnerabilities. Users should apply these official updates as detailed in the Red Hat advisory RHSA-2024:8722 and the referenced article https://access.redhat.com/articles/11258. No additional mitigation steps are indicated beyond applying the vendor-provided patches.