Shared security patch analysis results
AI Used: DEEPSEEK deepseek-chat--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.roundrect.4.radii.1.dompoint.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.roundrect.4.radii.1.dompoint.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 100, 50);@@ -23,15 +23,15 @@ ctx.fill(); // top-left corner-_assertPixel(offscreenCanvas, 20,1, 255,0,0,255, "20,1", "255,0,0,255");-_assertPixel(offscreenCanvas, 41,1, 0,255,0,255, "41,1", "0,255,0,255");-_assertPixel(offscreenCanvas, 1,10, 255,0,0,255, "1,10", "255,0,0,255");-_assertPixel(offscreenCanvas, 1,21, 0,255,0,255, "1,21", "0,255,0,255");+_assertPixel(canvas, 20,1, 255,0,0,255, "20,1", "255,0,0,255");+_assertPixel(canvas, 41,1, 0,255,0,255, "41,1", "0,255,0,255");+_assertPixel(canvas, 1,10, 255,0,0,255, "1,10", "255,0,0,255");+_assertPixel(canvas, 1,21, 0,255,0,255, "1,21", "0,255,0,255"); // other corners-_assertPixel(offscreenCanvas, 98,1, 0,255,0,255, "98,1", "0,255,0,255");-_assertPixel(offscreenCanvas, 98,48, 0,255,0,255, "98,48", "0,255,0,255");-_assertPixel(offscreenCanvas, 1,48, 0,255,0,255, "1,48", "0,255,0,255");+_assertPixel(canvas, 98,1, 0,255,0,255, "98,1", "0,255,0,255");+_assertPixel(canvas, 98,48, 0,255,0,255, "98,48", "0,255,0,255");+_assertPixel(canvas, 1,48, 0,255,0,255, "1,48", "0,255,0,255"); t.done(); });
After analyzing the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely variable renaming (from `offscreenCanvas` to `canvas`) and corresponding updates to the assertions. Here's the analysis:
1. Vulnerability Existed: no
No security vulnerability found
File: testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.roundrect.4.radii.1.dompoint.worker.js
Lines: 13-14, 23-31
Old Code:
```javascript
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
// ...
_assertPixel(offscreenCanvas, 20,1, 255,0,0,255, "20,1", "255,0,0,255");
// etc...
```
Fixed Code:
```javascript
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
// ...
_assertPixel(canvas, 20,1, 255,0,0,255, "20,1", "255,0,0,255");
// etc...
```
The changes are purely cosmetic/refactoring in nature and don't appear to address any security issues. The functionality remains exactly the same, only the variable name has been changed for consistency or clarity.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/pixel-manipulation/2d.imageData.put.unchanged.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/pixel-manipulation/2d.imageData.put.unchanged.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); var i = 0; for (var y = 0; y < 16; ++y) {
Based on the provided diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely variable renaming (from `offscreenCanvas` to `canvas`) which doesn't impact security.
Answer:
Vulnerability Existed: no
No security vulnerability found in this diff. The changes are purely variable renaming with no security implications.
Additional notes:
1. The diff shows only a variable name change from `offscreenCanvas` to `canvas`
2. No security-related changes to functionality or data handling
3. The context remains the same (OffscreenCanvas usage)
4. No changes to any security-sensitive operations
Since this is just a refactoring change with no security impact, I've marked "Vulnerability Existed" as "no".
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/text/2d.text.drawing.style.fontKerning.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/text/2d.text.drawing.style.fontKerning.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); _assertSame(ctx.fontKerning, "auto", "ctx.fontKerning", "\"auto\""); ctx.fontKerning = "normal";
Let me analyze the provided code diff for security fixes.
Vulnerability Existed: no
[No specific vulnerability found] [testing/web-platform/tests/html/canvas/offscreen/text/2d.text.drawing.style.fontKerning.worker.js] [Lines 13-14]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
Additional Details:
- The change appears to be a simple variable renaming from `offscreenCanvas` to `canvas`
- No security-related changes are evident in this diff
- The modification seems to be for code consistency or readability rather than security
- The functionality remains exactly the same, only the variable name changed
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/drawing-images-to-the-canvas/2d.drawImage.nonfinite.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/drawing-images-to-the-canvas/2d.drawImage.nonfinite.html@@ -18,8 +18,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#0f0'; ctx.fillRect(0, 0, 100, 50);@@ -335,7 +335,7 @@ ctx.drawImage(bitmap, 0, 0, 100, 50, 0, Infinity, Infinity, Infinity); ctx.drawImage(bitmap, 0, 0, 100, 50, 0, Infinity, 100, Infinity); ctx.drawImage(bitmap, 0, 0, 100, 50, 0, 0, Infinity, Infinity);- _assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+ _assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255"); }, t_fail); }).then(t_pass, t_fail);
Based on the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be variable renaming and test assertion updates rather than security-related fixes. Here's the analysis:
1. Vulnerability Existed: no
Variable Renaming [testing/web-platform/tests/html/canvas/offscreen/drawing-images-to-the-canvas/2d.drawImage.nonfinite.html] [Lines 18-19, 335]
Old Code:
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
Fixed Code:
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
2. Vulnerability Existed: no
Test Assertion Update [testing/web-platform/tests/html/canvas/offscreen/drawing-images-to-the-canvas/2d.drawImage.nonfinite.html] [Line 335]
Old Code:
_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
Fixed Code:
_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
The changes are purely cosmetic/refactoring in nature, updating variable names to be more consistent (from 'offscreenCanvas' to 'canvas') and updating the test assertions accordingly. There are no security-related fixes in this diff.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/browser/components/preferences/preferences.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/browser/components/preferences/preferences.js@@ -12,8 +12,8 @@ /* import-globals-from experimental.js */ /* import-globals-from moreFromMozilla.js */ /* import-globals-from findInPage.js */-/* import-globals-from ../../base/content/utilityOverlay.js */-/* import-globals-from ../../../toolkit/content/preferencesBindings.js */+/* import-globals-from /browser/base/content/utilityOverlay.js */+/* import-globals-from /toolkit/content/preferencesBindings.js */ "use strict";@@ -237,6 +237,10 @@ maybeDisplayPoliciesNotice(); window.addEventListener("hashchange", onHashChange);++ document.getElementById("focusSearch1").addEventListener("command", () => {+ gSearchResultsPane.searchInput.focus();+ }); gotoPref().then(() => { let helpButton = document.getElementById("helpButton");
Based on the provided diff, I'll analyze it for potential security vulnerabilities:
1. First change (import paths):
Vulnerability Existed: not sure
[Potential Path Traversal/Insecure Module Import] [browser/components/preferences/preferences.js] [Lines 12-13]
[Old Code]
/* import-globals-from ../../base/content/utilityOverlay.js */
/* import-globals-from ../../../toolkit/content/preferencesBindings.js */
[Fixed Code]
/* import-globals-from /browser/base/content/utilityOverlay.js */
/* import-globals-from /toolkit/content/preferencesBindings.js */
Additional Details: The change from relative paths to absolute paths might indicate a security improvement against potential path traversal attacks, but without more context about the build system and module resolution, this is uncertain.
2. Second change (event listener addition):
Vulnerability Existed: no
[Feature Addition] [browser/components/preferences/preferences.js] [Lines 237-240]
[Old Code]
window.addEventListener("hashchange", onHashChange);
[Fixed Code]
window.addEventListener("hashchange", onHashChange);
document.getElementById("focusSearch1").addEventListener("command", () => {
gSearchResultsPane.searchInput.focus();
});
Additional Details: This appears to be a purely functional addition for search focus behavior, with no evident security implications.
No clear security vulnerabilities were identified in these changes. The path modification might be related to security but could also be for consistency or build system requirements.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.clip.source-out.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.clip.source-out.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#0f0';@@ -24,8 +24,8 @@ ctx.clip(); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 50, 50);-_assertPixel(offscreenCanvas, 25,25, 0,255,0,255, "25,25", "0,255,0,255");-_assertPixel(offscreenCanvas, 75,25, 0,255,0,255, "75,25", "0,255,0,255");+_assertPixel(canvas, 25,25, 0,255,0,255, "25,25", "0,255,0,255");+_assertPixel(canvas, 75,25, 0,255,0,255, "75,25", "0,255,0,255"); t.done(); });
After analyzing the provided code diff, here's the security assessment: 1. Vulnerability Existed: no This appears to be a simple variable renaming change from `offscreenCanvas` to `canvas`. There are no security vulnerabilities being fixed in this diff. The changes are purely cosmetic/refactoring in nature. The changes made are: - Renamed variable `offscreenCanvas` to `canvas` for consistency - Updated all references to the renamed variable - No functional changes to the actual canvas operations or assertions Since this is just a variable name change with no security implications, no further vulnerability analysis is needed. The diff shows typical code maintenance rather than security fixes. No security vulnerabilities were identified in this diff. The changes are purely related to code style and variable naming conventions.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/devtools/shared/layout/utils.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/devtools/shared/layout/utils.js@@ -12,6 +12,12 @@ "devtools/shared/DevToolsUtils" ); loader.lazyRequireGetter(this, "ChromeUtils");+loader.lazyRequireGetter(+ this,+ "NetUtil",+ "resource://gre/modules/NetUtil.jsm",+ true+); const SHEET_TYPE = { agent: "AGENT_SHEET",@@ -878,6 +884,49 @@ * @returns {Boolean} */ function isFrameWithChildTarget(targetActor, node) {+ // If the iframe is blocked because of CSP, it won't have a document (and no associated targets)+ if (isFrameBlockedByCSP(node)) {+ return false;+ }+ return isRemoteFrame(node) || (isIframe(node) && targetActor.ignoreSubFrames); }+ exports.isFrameWithChildTarget = isFrameWithChildTarget;++/**+ * Check if the provided node is representing a frame that is blocked by CSP.+ *+ * @param {DOMNode} node+ * @returns {Boolean}+ */+function isFrameBlockedByCSP(node) {+ if (!isIframe(node)) {+ return false;+ }++ if (!node.src) {+ return false;+ }++ let uri;+ try {+ uri = NetUtil.newURI(node.src);+ } catch (e) {+ return false;+ }++ const res = node.ownerDocument.csp.shouldLoad(+ Ci.nsIContentPolicy.TYPE_SUBDOCUMENT,+ null, // nsICSPEventListener+ uri,+ null, // aOriginalURIIfRedirect+ false, // aSendViolationReports+ null, // aNonce+ false // aParserCreated+ );++ return res !== Ci.nsIContentPolicy.ACCEPT;+}++exports.isFrameBlockedByCSP = isFrameBlockedByCSP;
Here's the analysis of the provided code diff:
1. Vulnerability Existed: yes
CSP Bypass Vulnerability [devtools/shared/layout/utils.js] [Lines 878-884, added new function]
Old Code:
```javascript
function isFrameWithChildTarget(targetActor, node) {
return isRemoteFrame(node) || (isIframe(node) && targetActor.ignoreSubFrames);
}
```
Fixed Code:
```javascript
function isFrameWithChildTarget(targetActor, node) {
// If the iframe is blocked because of CSP, it won't have a document (and no associated targets)
if (isFrameBlockedByCSP(node)) {
return false;
}
return isRemoteFrame(node) || (isIframe(node) && targetActor.ignoreSubFrames);
}
```
Additional Details: The fix adds CSP (Content Security Policy) validation for iframes, preventing potential CSP bypass scenarios where frames blocked by CSP might still be processed.
2. Vulnerability Existed: yes
URI Parsing Vulnerability [devtools/shared/layout/utils.js] [Lines 884-913, new function]
Old Code:
(No previous code existed for this functionality)
Fixed Code:
```javascript
function isFrameBlockedByCSP(node) {
if (!isIframe(node)) {
return false;
}
if (!node.src) {
return false;
}
let uri;
try {
uri = NetUtil.newURI(node.src);
} catch (e) {
return false;
}
// ... rest of the function
}
```
Additional Details: The new function includes proper URI parsing using NetUtil.newURI() with error handling, which prevents potential security issues from malformed URIs in iframe src attributes.
The changes introduce security improvements by:
1. Adding CSP validation for iframes
2. Implementing safe URI parsing
3. Properly handling frames blocked by security policies
Note that while these aren't fixes for specific known vulnerabilities (like CVE numbers), they represent important security hardening measures that prevent potential security issues.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/smallvec/src/tests.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/smallvec/src/tests.rs@@ -111,6 +111,13 @@ assert_eq!(v.drain(1..).collect::<Vec<_>>(), &[4, 5]); // drain should not change the capacity assert_eq!(v.capacity(), old_capacity);++ // Exercise the tail-shifting code when in the inline state+ // This has the potential to produce UB due to aliasing+ let mut v: SmallVec<[u8; 2]> = SmallVec::new();+ v.push(1);+ v.push(2);+ assert_eq!(v.drain(..1).collect::<Vec<_>>(), &[1]); } #[test]
Based on the provided diff, I'll analyze it for security vulnerabilities:
Vulnerability Existed: not sure
Potential Aliasing UB (Undefined Behavior) [third_party/rust/smallvec/src/tests.rs] [Lines 111+]
[Old Code]
assert_eq!(v.drain(1..).collect::<Vec<_>>(), &[4, 5]);
// drain should not change the capacity
assert_eq!(v.capacity(), old_capacity);
[Fixed Code]
assert_eq!(v.drain(1..).collect::<Vec<_>>(), &[4, 5]);
// drain should not change the capacity
assert_eq!(v.capacity(), old_capacity);
// Exercise the tail-shifting code when in the inline state
// This has the potential to produce UB due to aliasing
let mut v: SmallVec<[u8; 2]> = SmallVec::new();
v.push(1);
v.push(2);
assert_eq!(v.drain(..1).collect::<Vec<_>>(), &[1]);
Additional Details:
1. The comment explicitly mentions "potential to produce UB due to aliasing", suggesting there might have been concerns about undefined behavior.
2. The test case was added to exercise tail-shifting code in inline state, which could have been a previously untested edge case.
3. Without more context about the actual implementation changes, we can't be certain if this was fixing an actual vulnerability or just adding defensive testing.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-values/calc-offsets-relative-left-1-ref.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-values/calc-offsets-relative-left-1-ref.html@@ -3,7 +3,6 @@ <head> <title>CSS Reference: Test for left:calc() on relatively positioned elements</title> <link rel="author" title="L. David Baron" href="https://dbaron.org/">- <meta name="flags" content=""> <style type="text/css"> body { margin: 0 100px; width: 100px } div[style] { background: blue; position: relative; height: 3px; }
Analyzing the provided code diff, here's the security assessment: Vulnerability Existed: no [No specific vulnerability] [testing/web-platform/tests/css/css-values/calc-offsets-relative-left-1-ref.html] [Lines 3-6] [Old Code] <meta name="flags" content=""> [Fixed Code] [Removed line] Additional Details: 1. The change simply removes an empty meta tag with a "flags" attribute, which appears to be test-related metadata. 2. There's no security vulnerability being fixed here - this appears to be a test cleanup change. 3. The empty meta tag wasn't serving any security purpose and its removal doesn't impact security. 4. No known vulnerability is associated with this change.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/futures/src/lib.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/futures/src/lib.rs@@ -78,7 +78,6 @@ //! The majority of examples and code snippets in this crate assume that they are //! inside an async block as written above.-#![cfg_attr(feature = "read-initializer", feature(read_initializer))] #![cfg_attr(not(feature = "std"), no_std)] #![warn( missing_debug_implementations,@@ -98,9 +97,6 @@ #[cfg(all(feature = "bilock", not(feature = "unstable")))] compile_error!("The `bilock` feature requires the `unstable` feature as an explicit opt-in to unstable features");--#[cfg(all(feature = "read-initializer", not(feature = "unstable")))]-compile_error!("The `read-initializer` feature requires the `unstable` feature as an explicit opt-in to unstable features"); #[doc(no_inline)] pub use futures_core::future::{Future, TryFuture};
Based on the provided diff, here's the analysis:
Vulnerability Existed: not sure
Potential Unstable Feature Exposure [third_party/rust/futures/src/lib.rs] [Lines 78, 98-100]
[Old Code]
```rust
#![cfg_attr(feature = "read-initializer", feature(read_initializer))]
...
#[cfg(all(feature = "read-initializer", not(feature = "unstable")))]
compile_error!("The `read-initializer` feature requires the `unstable` feature as an explicit opt-in to unstable features");
```
[Fixed Code]
```rust
(removed both the feature attribute and the compile_error check)
```
Additional Details:
1. The diff shows removal of the `read-initializer` feature which was previously gated behind an unstable feature requirement
2. This appears to be a security-conscious change as it removes potentially unsafe/unstable functionality
3. While not a direct vulnerability, removing unstable features reduces attack surface
4. The exact security impact is unclear without knowing how this feature was used
Note: There isn't enough context to determine if this was fixing an actual vulnerability (CVE) or just being proactive about security. The change appears to be removing potentially risky functionality by eliminating an unstable feature and its requirements.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/toolkit/components/startup/StartupTimeline.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/toolkit/components/startup/StartupTimeline.cpp@@ -45,14 +45,11 @@ // Record first paint timestamp as a scalar. if (ev == FIRST_PAINT || ev == FIRST_PAINT2) {- bool error = false; uint32_t firstPaintTime =- (uint32_t)(aWhen - TimeStamp::ProcessCreation(&error)).ToMilliseconds();- if (!error) {- Telemetry::ScalarSet(- ev == FIRST_PAINT ? Telemetry::ScalarID::TIMESTAMPS_FIRST_PAINT- : Telemetry::ScalarID::TIMESTAMPS_FIRST_PAINT_TWO,- firstPaintTime);- }+ (uint32_t)(aWhen - TimeStamp::ProcessCreation()).ToMilliseconds();+ Telemetry::ScalarSet(ev == FIRST_PAINT+ ? Telemetry::ScalarID::TIMESTAMPS_FIRST_PAINT+ : Telemetry::ScalarID::TIMESTAMPS_FIRST_PAINT_TWO,+ firstPaintTime); } }
Here's the analysis following the requested format:
Vulnerability Existed: not sure
Potential Error Handling Removal [File] [Lines 45-53]
[Old Code]
bool error = false;
uint32_t firstPaintTime =
(uint32_t)(aWhen - TimeStamp::ProcessCreation(&error)).ToMilliseconds();
if (!error) {
Telemetry::ScalarSet(
ev == FIRST_PAINT ? Telemetry::ScalarID::TIMESTAMPS_FIRST_PAINT
: Telemetry::ScalarID::TIMESTAMPS_FIRST_PAINT_TWO,
firstPaintTime);
}
[Fixed Code]
uint32_t firstPaintTime =
(uint32_t)(aWhen - TimeStamp::ProcessCreation()).ToMilliseconds();
Telemetry::ScalarSet(ev == FIRST_PAINT
? Telemetry::ScalarID::TIMESTAMPS_FIRST_PAINT
: Telemetry::ScalarID::TIMESTAMPS_FIRST_PAINT_TWO,
firstPaintTime);
Additional Details:
The main change appears to be the removal of error handling around the ProcessCreation() call. While this might indicate the error condition was deemed impossible or irrelevant, it could potentially mask issues if ProcessCreation() fails. However, without more context about TimeStamp::ProcessCreation() behavior, it's unclear if this was a security fix or just a code simplification. The change could be related to reliability rather than security.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.invalid.css-color-4-rgba-3.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.invalid.css-color-4-rgba-3.html@@ -17,14 +17,14 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#0f0'; try { ctx.fillStyle = 'rgba(255, 0 0)'; } catch (e) { } // this shouldn't throw, but it shouldn't matter here if it does ctx.fillRect(0, 0, 100, 50);-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255"); t.done(); });
Based on the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely cosmetic/refactoring changes (variable renaming) rather than security-related fixes. Here's the analysis:
Vulnerability Existed: no
No security vulnerability found [testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.invalid.css-color-4-rgba-3.html] [Lines 17-25]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
[...]
_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
[...]
_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
The changes simply rename the variable `offscreenCanvas` to `canvas` and update the references to it. There are no changes to the actual security-sensitive operations or input handling.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/geckodriver/doc/TraceLogs.md+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/geckodriver/doc/TraceLogs.md@@ -102,7 +102,7 @@ geckodriver. If you find your language missing, please consider [submitting a patch].-[submitting a patch]: ../CONTRIBUTING.md+[submitting a patch]: Patches.md C#
Analysis of the provided code diff:
1. Vulnerability Existed: no
No security vulnerability found [File] testing/geckodriver/doc/TraceLogs.md [Lines] 102
Old Code: [submitting a patch]: ../CONTRIBUTING.md
Fixed Code: [submitting a patch]: Patches.md
Additional Details:
- This appears to be a documentation change updating a link reference from CONTRIBUTING.md to Patches.md
- The change doesn't involve any security-sensitive code or functionality
- No known vulnerability patterns are present in this change
- The modification is purely related to documentation structure/linking
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/netwerk/protocol/http/Http3Stream.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/netwerk/protocol/http/Http3Stream.h@@ -68,7 +68,6 @@ bool GetHeadersString(const char* buf, uint32_t avail, uint32_t* countUsed); nsresult StartRequest();- void FindRequestContentLength(); void SetPriority(uint32_t aCos);@@ -144,7 +143,6 @@ bool mDataReceived{false}; bool mResetRecv{false}; nsTArray<uint8_t> mFlatResponseHeaders;- uint32_t mRequestBodyLenRemaining{0}; uint64_t mTransactionTabId{0}; uint64_t mCurrentTopBrowsingContextId; uint8_t mPriorityUrgency{3}; // urgency field of http priority@@ -162,6 +160,11 @@ nsresult mSocketInCondition = NS_ERROR_NOT_INITIALIZED; nsresult mSocketOutCondition = NS_ERROR_NOT_INITIALIZED;++#ifdef MOZ_DIAGNOSTIC_ASSERT_ENABLED+ uint32_t mRequestBodyLenExpected{0};+ uint32_t mRequestBodyLenSent{0};+#endif }; } // namespace net
Here's the analysis of the provided code diff:
1. Vulnerability Existed: not sure
[Potentially Unused/Redundant Code Removal] [netwerk/protocol/http/Http3Stream.h] [Lines 68-144]
[Old Code]
void FindRequestContentLength();
...
uint32_t mRequestBodyLenRemaining{0};
[Fixed Code]
(Removed these elements entirely)
Additional Details: The removal of `FindRequestContentLength()` method and `mRequestBodyLenRemaining` member variable suggests they were potentially unused or redundant. While this doesn't indicate a clear security vulnerability, removing unused code can improve security by reducing attack surface.
2. Vulnerability Existed: not sure
[Diagnostic Assertion Addition] [netwerk/protocol/http/Http3Stream.h] [Lines 160-164]
[Old Code]
(No diagnostic assertion variables)
[Fixed Code]
#ifdef MOZ_DIAGNOSTIC_ASSERT_ENABLED
uint32_t mRequestBodyLenExpected{0};
uint32_t mRequestBodyLenSent{0};
#endif
Additional Details: The addition of diagnostic assertion variables suggests improved debugging capabilities for request body length verification. While not a direct security fix, this could help catch potential issues during development.
Note: The diff shows code cleanup and potential improvements, but doesn't clearly indicate any specific security vulnerabilities being fixed. The changes appear to be more about code maintenance and potential debugging improvements rather than addressing known vulnerabilities.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.gradient.interpolate.vertical.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.gradient.interpolate.vertical.worker.js@@ -13,17 +13,17 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); var g = ctx.createLinearGradient(0, 0, 0, 50); g.addColorStop(0, '#ff0'); g.addColorStop(1, '#00f'); ctx.fillStyle = g; ctx.fillRect(0, 0, 100, 50);-_assertPixelApprox(offscreenCanvas, 50,12, 191,191,63,255, "50,12", "191,191,63,255", 10);-_assertPixelApprox(offscreenCanvas, 50,25, 127,127,127,255, "50,25", "127,127,127,255", 5);-_assertPixelApprox(offscreenCanvas, 50,37, 63,63,191,255, "50,37", "63,63,191,255", 10);+_assertPixelApprox(canvas, 50,12, 191,191,63,255, "50,12", "191,191,63,255", 10);+_assertPixelApprox(canvas, 50,25, 127,127,127,255, "50,25", "127,127,127,255", 5);+_assertPixelApprox(canvas, 50,37, 63,63,191,255, "50,37", "63,63,191,255", 10); t.done(); });
After analyzing the provided code diff, I don't find any security vulnerabilities. The changes appear to be purely cosmetic/refactoring changes (variable renaming) without any security implications.
Here's the structured response:
Vulnerability Existed: no
No security vulnerability found [testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.gradient.interpolate.vertical.worker.js] [Lines 13-25]
[Old Code: var offscreenCanvas = new OffscreenCanvas(100, 50); var ctx = offscreenCanvas.getContext('2d'); ... _assertPixelApprox(offscreenCanvas, ...)]
[Fixed Code: var canvas = new OffscreenCanvas(100, 50); var ctx = canvas.getContext('2d'); ... _assertPixelApprox(canvas, ...)]
The changes only involve:
1. Renaming the variable `offscreenCanvas` to `canvas`
2. Updating the variable name in subsequent function calls
3. No changes to the actual logic or security-related functionality
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/the-offscreen-canvas/initial.reset.same.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/the-offscreen-canvas/initial.reset.same.worker.js@@ -13,15 +13,15 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d');-offscreenCanvas.width = 100;+canvas.width = 100; ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 50, 50);-_assertPixel(offscreenCanvas, 20,20, 255,0,0,255, "20,20", "255,0,0,255");-offscreenCanvas.width = 100;-_assertPixel(offscreenCanvas, 20,20, 0,0,0,0, "20,20", "0,0,0,0");+_assertPixel(canvas, 20,20, 255,0,0,255, "20,20", "255,0,0,255");+canvas.width = 100;+_assertPixel(canvas, 20,20, 0,0,0,0, "20,20", "0,0,0,0"); t.done(); });
After analyzing the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely variable renaming and don't involve any security-related modifications. Here's the analysis:
Vulnerability Existed: no
No security vulnerability found [File] testing/web-platform/tests/html/canvas/offscreen/the-offscreen-canvas/initial.reset.same.worker.js [Lines] 13-23
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
offscreenCanvas.width = 100;
ctx.fillStyle = '#f00';
ctx.fillRect(0, 0, 50, 50);
_assertPixel(offscreenCanvas, 20,20, 255,0,0,255, "20,20", "255,0,0,255");
offscreenCanvas.width = 100;
_assertPixel(offscreenCanvas, 20,20, 0,0,0,0, "20,20", "0,0,0,0");
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
canvas.width = 100;
ctx.fillStyle = '#f00';
ctx.fillRect(0, 0, 50, 50);
_assertPixel(canvas, 20,20, 255,0,0,255, "20,20", "255,0,0,255");
canvas.width = 100;
_assertPixel(canvas, 20,20, 0,0,0,0, "20,20", "0,0,0,0");
The only change is renaming the variable 'offscreenCanvas' to 'canvas', which doesn't affect security in any way. The functionality remains identical.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/toolkit/components/startup/nsAppStartup.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/toolkit/components/startup/nsAppStartup.cpp@@ -823,9 +823,7 @@ TimeStamp procTime = StartupTimeline::Get(StartupTimeline::PROCESS_CREATION); if (procTime.IsNull()) {- bool error = false;-- procTime = TimeStamp::ProcessCreation(&error);+ procTime = TimeStamp::ProcessCreation(); StartupTimeline::Record(StartupTimeline::PROCESS_CREATION, procTime); }
Here's the analysis of the provided code diff: Vulnerability Existed: not sure Potential Error Handling Removal [File] [Lines 823-827] [Old Code] ```cpp bool error = false; procTime = TimeStamp::ProcessCreation(&error); ``` [Fixed Code] ```cpp procTime = TimeStamp::ProcessCreation(); ``` Additional Details: - The diff shows removal of an error flag that was previously passed to `TimeStamp::ProcessCreation()` - Without seeing the implementation of `TimeStamp::ProcessCreation()`, it's unclear if this was a security-related error handling mechanism - The change might indicate either: 1. The error parameter was unnecessary (improvement) 2. Removal of error checking (potential risk) - Since we can't see how the error flag was used, we can't definitively say if this was a security fix or just a code cleanup
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/js/src/wasm/WasmStubs.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/js/src/wasm/WasmStubs.cpp@@ -2552,7 +2552,7 @@ explicit ABIFunctionArgs(ABIFunctionType sig) : abiType(ABIFunctionType(sig >> ArgType_Shift)) { len = 0;- uint32_t i = uint32_t(abiType);+ uint64_t i = uint64_t(abiType); while (i) { i = i >> ArgType_Shift; len++;@@ -2563,7 +2563,7 @@ MIRType operator[](size_t i) const { MOZ_ASSERT(i < len);- uint32_t abi = uint32_t(abiType);+ uint64_t abi = uint64_t(abiType); while (i--) { abi = abi >> ArgType_Shift; }
Here's the analysis following the requested format: Vulnerability Existed: yes Integer Overflow Vulnerability [js/src/wasm/WasmStubs.cpp] [Lines 2552, 2563] [Old Code] uint32_t i = uint32_t(abiType); ... uint32_t abi = uint32_t(abiType); [Fixed Code] uint64_t i = uint64_t(abiType); ... uint64_t abi = uint64_t(abiType); Additional Details: The vulnerability appears to be related to potential integer overflow when handling ABI function type information. The change from uint32_t to uint64_t suggests the original code could have overflow issues when processing certain function signatures. This is particularly important in WebAssembly contexts where proper type handling is crucial for security. The fix expands the integer size to prevent potential overflow during bit shifting operations.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/devtools/client/debugger/test/mochitest/browser_dbg-breakpoints-columns.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/devtools/client/debugger/test/mochitest/browser_dbg-breakpoints-columns.js@@ -122,7 +122,7 @@ } async function removeAllBreakpoints(dbg, line, count) {- clickGutter(dbg, 32);+ await clickGutter(dbg, 32); await waitForBreakpointCount(dbg, 0); ok(findAllElements(dbg, "columnBreakpoints").length == 0);
Analysis of the provided code diff:
1. Vulnerability Existed: not sure
[Potential Race Condition] [devtools/client/debugger/test/mochitest/browser_dbg-breakpoints-columns.js] [Lines 122-123]
[Old Code]
clickGutter(dbg, 32);
await waitForBreakpointCount(dbg, 0);
[Fixed Code]
await clickGutter(dbg, 32);
await waitForBreakpointCount(dbg, 0);
Additional Details:
- The change adds an `await` to the `clickGutter` call, suggesting the function is asynchronous
- Without the `await`, there might have been a race condition where `waitForBreakpointCount` could execute before `clickGutter` completed
- However, since this is test code, it's unclear if this would constitute a security vulnerability or just a test reliability improvement
- No specific CVE or vulnerability name is associated with this change
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/toolkit/themes/windows/global/radio.css+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/toolkit/themes/windows/global/radio.css@@ -43,7 +43,7 @@ /* ..... focused state ..... */-radio[focused="true"] > .radio-label-box {+radiogroup:focus-visible > radio[focused="true"] > .radio-label-box { outline: var(--default-focusring); }
Analysis of the provided code diff: 1. Vulnerability Existed: no No known vulnerability [File: toolkit/themes/windows/global/radio.css] [Lines: 43] Old Code: `radio[focused="true"] > .radio-label-box` Fixed Code: `radiogroup:focus-visible > radio[focused="true"] > .radio-label-box` Additional Details: This appears to be a CSS specificity/accessibility improvement rather than a security fix. The change modifies the focus styling selector to be more precise by using `:focus-visible` and scoping it within a `radiogroup`. This helps ensure focus outlines only appear when appropriate for keyboard navigation, improving accessibility but not addressing any security vulnerability.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.