Due to confusion about ValueTags on JavaScript Objects, an object may pass through the type barrier, resulting in memory corruption and a potentially exploitable crash. Note: this issue only affects Firefox on ARM64 platforms. This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0.
The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Firefox | Mozilla | * | 78.0 (excluding) |
| Firefox_esr | Mozilla | * | 68.10.0 (excluding) |
| Thunderbird | Mozilla | * | 68.10.0 (excluding) |
| Red Hat Enterprise Linux 7 | RedHat | firefox-0:68.10.0-1.el7_8 | * |
| Red Hat Enterprise Linux 7 | RedHat | thunderbird-0:68.10.0-1.el7_8 | * |
| Red Hat Enterprise Linux 8 | RedHat | firefox-0:68.10.0-1.el8_2 | * |
| Red Hat Enterprise Linux 8 | RedHat | thunderbird-0:68.10.0-1.el8_2 | * |
| Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions | RedHat | firefox-0:68.10.0-1.el8_0 | * |
| Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions | RedHat | thunderbird-0:68.10.0-1.el8_0 | * |
| Red Hat Enterprise Linux 8.1 Extended Update Support | RedHat | firefox-0:68.10.0-1.el8_1 | * |
| Red Hat Enterprise Linux 8.1 Extended Update Support | RedHat | thunderbird-0:68.10.0-1.el8_1 | * |
| Firefox | Ubuntu | bionic | * |
| Firefox | Ubuntu | devel | * |
| Firefox | Ubuntu | eoan | * |
| Firefox | Ubuntu | focal | * |
| Firefox | Ubuntu | groovy | * |
| Firefox | Ubuntu | hirsute | * |
| Firefox | Ubuntu | impish | * |
| Firefox | Ubuntu | jammy | * |
| Firefox | Ubuntu | kinetic | * |
| Firefox | Ubuntu | lunar | * |
| Firefox | Ubuntu | mantic | * |
| Firefox | Ubuntu | noble | * |
| Firefox | Ubuntu | trusty | * |
| Firefox | Ubuntu | upstream | * |
| Firefox | Ubuntu | xenial | * |
| Firefox-esr | Ubuntu | trusty | * |
| Firefox-esr | Ubuntu | upstream | * |
| Mozjs38 | Ubuntu | bionic | * |
| Mozjs38 | Ubuntu | esm-apps/bionic | * |
| Mozjs38 | Ubuntu | upstream | * |
| Mozjs52 | Ubuntu | bionic | * |
| Mozjs52 | Ubuntu | eoan | * |
| Mozjs52 | Ubuntu | esm-apps/focal | * |
| Mozjs52 | Ubuntu | esm-infra/bionic | * |
| Mozjs52 | Ubuntu | focal | * |
| Mozjs52 | Ubuntu | groovy | * |
| Mozjs52 | Ubuntu | upstream | * |
| Mozjs60 | Ubuntu | eoan | * |
| Mozjs60 | Ubuntu | upstream | * |
| Mozjs68 | Ubuntu | focal | * |
| Mozjs68 | Ubuntu | groovy | * |
| Mozjs68 | Ubuntu | upstream | * |
| Thunderbird | Ubuntu | bionic | * |
| Thunderbird | Ubuntu | devel | * |
| Thunderbird | Ubuntu | eoan | * |
| Thunderbird | Ubuntu | focal | * |
| Thunderbird | Ubuntu | groovy | * |
| Thunderbird | Ubuntu | hirsute | * |
| Thunderbird | Ubuntu | impish | * |
| Thunderbird | Ubuntu | jammy | * |
| Thunderbird | Ubuntu | kinetic | * |
| Thunderbird | Ubuntu | lunar | * |
| Thunderbird | Ubuntu | mantic | * |
| Thunderbird | Ubuntu | noble | * |
| Thunderbird | Ubuntu | trusty | * |
| Thunderbird | Ubuntu | upstream | * |
| Thunderbird | Ubuntu | xenial | * |
While assertion is good for catching logic errors and reducing the chances of reaching more serious vulnerability conditions, it can still lead to a denial of service. For example, if a server handles multiple simultaneous connections, and an assert() occurs in one single connection that causes all other connections to be dropped, this is a reachable assertion that leads to a denial of service.