CVE-2020-12390

Incorrect origin serialization of URLs with IPv6 addresses could lead to incorrect security checks. This vulnerability affects Firefox < 76.

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Name	Vendor	Start Version	End Version
Firefox	Mozilla	*	76.0 (excluding)
Firefox	Ubuntu	bionic	*
Firefox	Ubuntu	devel	*
Firefox	Ubuntu	eoan	*
Firefox	Ubuntu	focal	*
Firefox	Ubuntu	groovy	*
Firefox	Ubuntu	hirsute	*
Firefox	Ubuntu	impish	*
Firefox	Ubuntu	jammy	*
Firefox	Ubuntu	kinetic	*
Firefox	Ubuntu	lunar	*
Firefox	Ubuntu	mantic	*
Firefox	Ubuntu	noble	*
Firefox	Ubuntu	trusty	*
Firefox	Ubuntu	upstream	*
Firefox	Ubuntu	xenial	*
Mozjs38	Ubuntu	bionic	*
Mozjs38	Ubuntu	esm-apps/bionic	*
Mozjs38	Ubuntu	upstream	*
Mozjs52	Ubuntu	bionic	*
Mozjs52	Ubuntu	eoan	*
Mozjs52	Ubuntu	esm-apps/focal	*
Mozjs52	Ubuntu	esm-infra/bionic	*
Mozjs52	Ubuntu	focal	*
Mozjs52	Ubuntu	groovy	*
Mozjs52	Ubuntu	upstream	*
Mozjs60	Ubuntu	eoan	*
Mozjs60	Ubuntu	upstream	*
Mozjs68	Ubuntu	esm-infra/focal	*
Mozjs68	Ubuntu	focal	*
Mozjs68	Ubuntu	groovy	*
Mozjs68	Ubuntu	upstream	*

Make fields transient to protect them from deserialization.
An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly.

NVD	https://nvd.nist.gov/vuln/detail/CVE-2020-12390
CWE	https://cwe.mitre.org/data/definitions/502.html

Deserialization of Untrusted Data