Mozilla fixed these flaws two days after a security researcher named Manfred Paul exploited and reported them during the Pwn2Own hacking contest. Threat actors could leverage these security flaws to “take control of an affected system,” according to the Cybersecurity and Infrastructure Security Agency (CISA), which urged administrators and users to patch these vulnerabilities.
CVE-2022-1802: Prototype pollution in Top-Level Await implementation
- Firefox versions prior to 100.0.2
- Firefox ESR versions prior to 91.9.1
- Thunderbird versions prior to 91.9.1
- Firefox for Android versions prior to 100.3
Customers are advised to upgrade to the latest versions mentioned below:
- Firefox 100.0.2
- Firefox ESR 91.9.1
- Thunderbird 91.9.1
- Firefox for Android 100.3
For more information, please refer to the Mozilla Foundation security advisory (MFSA2022-19).
Qualys customers can scan their devices with QID 376625 & 376626 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.