Mozilla published a
security advisory for all affected versions of the web browser that provide additional details on the issues:
There, users find out that two security issues have been patched in the update. Both issues have the severity rating of critical, the highest rating that is available. They were reported to Mozilla by Manfred Paul via Trend Micro's Zero Day Initiative.
CVE-2022-1802: Prototype pollution in Top-Level Await implementation
If an attacker was able to corrupt the methods of an Array object in JavaScript via prototype pollution, they could have achieved execution of attacker-controlled JavaScript code in a privileged context.
CVE-2022-1529: Untrusted input used in JavaScript object indexing, leading to prototype pollution
An attacker could have sent a message to the parent process where the contents were used to double-index into a JavaScript object, leading to prototype pollution and ultimately attacker-controlled JavaScript executing in the privileged parent process.
The linked bug reports are restricted.
Mozilla makes no mention of attacks in the wilds that target these vulnerabilities.
www.mozilla.org
