Mozilla has recently unveiled Firefox 120, a significant update packed with essential security fixes and several noteworthy features. In this release, the focus has been on addressing vulnerabilities, including high-severity issues, while introducing new functionalities to enhance user privacy and the browsing experience.

Key changes in Firefox 120:

• Global Privacy Control Setting: The latest version introduces a Global Privacy Control setting, empowering users to exert greater control over their online privacy.
• Chromium Snap Data Import: Users can now seamlessly import data from Chromium snap, facilitating a smoother transition for those migrating from other browsers.
• Copy Link without Site Tracking: Firefox 120 offers an option to copy links without site tracking, providing users with more control over the information they share online.
• Picture-in-Picture (PIP) Mode Enhancements: The Picture-in-Picture (PIP) mode now supports corner snapping on Windows and Linux, enhancing the multitasking capabilities of the browser.
• New DevTools Feature: A new feature has been added to the developer tools, offering developers additional capabilities and tools for web development.
• TLS Trust Anchors Import: The update includes the import of TLS trust anchors, contributing to a more secure browsing experience.
• Improvements in Private Windows and ETP-Strict Privacy Configuration: Firefox 120 brings improvements to private windows and the ETP-Strict privacy configuration, further enhancing user privacy.

High Severity Flaws Addressed:

CVE-2023-6204: Graphics Settings Vulnerability

• Possible out-of-bounds read and memory data leakage into canvas element images.
• Reported by JSec of Hayyim Security.

CVE-2023-6205: MessagePort Use-after-free Vulnerability

• Allowed the use of a MessagePort after it had been freed, potentially leading to an exploitable crash.
• Reported by Yangkang of the 360 ATA Team.

CVE-2023-6206: Black Fade Animation Vulnerability

• Black fade animation issue during fullscreen exit, potentially used to surprise users during permission prompts.
• Reported by Hafiizh.

CVE-2023-6207: Use-after-free in ReadableByteStreamQueueEntry::Buffer

• High-severity issue involving a use-after-free vulnerability.
• Reported by Yangkang of the 360 ATA Team.

CVE-2023-6212: Memory Safety Bug

• Memory safety bug fixed in Firefox 120, ESR 115.5, and Thunderbird 115.5.

CVE-2023-6213: Memory Safety Issues

• Addressed memory safety issues, potentially exploitable to run arbitrary code.
• Reported by Mozilla developers.

Moderate and Low-Severity Issues Addressed

Moderate Severity Issues:

• Using Selection API copying contents into X11 primary selection (CVE-2023-6208).
• Incorrect parsing of relative URLs starting with (CVE-2023-6209)

Low-Severity Issues:

• Mixed-content resources are not blocked in a javascript pop-up (CVE-2023-6210).
• Clickjacking to load insecure pages in HTTPS-only mode (CVE-2023-6211)