Shared security patch analysis results
AI Used: DEEPSEEK deepseek-chat--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/text/2d.text.drawing.style.nonfinite.spacing.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/text/2d.text.drawing.style.nonfinite.spacing.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); _assertSame(ctx.letterSpacing, '0px', "ctx.letterSpacing", "'0px'"); _assertSame(ctx.wordSpacing, '0px', "ctx.wordSpacing", "'0px'");
Analysis of the provided code diff:
1. Vulnerability Existed: no
No security vulnerability found [File] [Lines 13-14]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
The changes in this diff appear to be purely a variable name change from `offscreenCanvas` to `canvas`. This is a code style/readability improvement rather than a security fix. No security vulnerabilities are addressed or introduced by this change.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/taskcluster/ci/test/misc.yml+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/taskcluster/ci/test/misc.yml@@ -36,14 +36,11 @@ variants: [fission] run-on-projects: by-variant:- fission:- by-test-platform:- linux.*-64-qr/debug: [trunk]- linux.*-64(?:-shippable|-asan)?-qr/opt: [trunk]- windows.*-64-qr/debug: [trunk]- windows.*-64(?:-shippable)?-qr/opt: [trunk]- default: []- default: built-projects+ fission: built-projects+ default:+ by-test-platform:+ linux.*: ['trunk']+ default: [] max-run-time: 1200 tier: default mozharness:@@ -63,6 +60,7 @@ max-run-time: 10800 allow-software-gl-layers: false variants: ["fission"]+ run-without-variant: false run-on-projects: by-variant: fission:@@ -73,14 +71,7 @@ (?!.*(-ccov|-asan|-shippable))(?!.*-qr).*: [] # do not run on mozilla-central, beta or release: usually just confirms earlier results default: ['integration']- default:- by-test-platform:- # do not run on ccov or asan or shippable- .*(-ccov|-asan|-shippable).*: []- # linux / windows -qr skipped because they were previously skipped via test-platforms.yml- .*(linux|windows)(?!.*(-ccov|-asan|-shippable)).*-qr.*: []- # do not run on mozilla-central, beta or release: usually just confirms earlier results- default: ['integration']+ default: [] built-projects-only: true target: by-test-platform:@@ -148,17 +139,20 @@ virtualization: virtual-with-gpu max-run-time: 10800 allow-software-gl-layers: false- run-on-projects:- by-variant:- fission: ['trunk']- default:+ variants: ["fission"]+ run-without-variant: false+ run-on-projects:+ by-variant:+ fission: by-test-platform: # do not run on ccov or asan .*-ccov.*/.*: [] .*-asan/.*: [] .*shippable.*: [] # do not run on mozilla-central, beta or release: usually just confirms earlier results- default: ['integration']+ linux.*: ['integration']+ default: []+ default: [] built-projects-only: true optimization: test-verify: ["test-verify-gpu"]@@ -192,13 +186,15 @@ instance-size: default max-run-time: 10800 allow-software-gl-layers: false- run-on-projects:- by-variant:- fission: ['trunk']- default:+ variants: ["fission"]+ run-without-variant: false+ run-on-projects:+ by-variant:+ fission: by-test-platform: .*-ccov.*/.*: built-projects default: []+ default: [] tier: 2 mozharness: script:@@ -258,14 +254,16 @@ instance-size: default max-run-time: 10800 allow-software-gl-layers: false- run-on-projects:- by-variant:- fission: ['trunk']- default:+ variants: ["fission"]+ run-without-variant: false+ run-on-projects:+ by-variant:+ fission: by-test-platform: # only run on mozilla-central and try. .*-ccov.*/.*: ['mozilla-central'] default: []+ default: [] tier: by-test-platform: windows10-64-asan.*: 3
Analysis of the code diff:
1. Vulnerability Existed: not sure
[Potential Configuration Hardening] [taskcluster/ci/test/misc.yml] [Lines 36-44]
[Old Code]
variants: [fission]
run-on-projects:
by-variant:
fission:
by-test-platform:
linux.*-64-qr/debug: [trunk]
linux.*-64(?:-shippable|-asan)?-qr/opt: [trunk]
windows.*-64-qr/debug: [trunk]
windows.*-64(?:-shippable)?-qr/opt: [trunk]
default: []
default: built-projects
[Fixed Code]
variants: [fission]
run-on-projects:
by-variant:
fission: built-projects
default:
by-test-platform:
linux.*: ['trunk']
default: []
2. Vulnerability Existed: not sure
[Added Security Control] [taskcluster/ci/test/misc.yml] [Lines 60-63]
[Old Code]
variants: ["fission"]
[Fixed Code]
variants: ["fission"]
run-without-variant: false
3. Vulnerability Existed: not sure
[Potential Over-Permission Reduction] [taskcluster/ci/test/misc.yml] [Lines 71-81]
[Old Code]
default:
by-test-platform:
# do not run on ccov or asan or shippable
.*(-ccov|-asan|-shippable).*: []
# linux / windows -qr skipped because they were previously skipped via test-platforms.yml
.*(linux|windows)(?!.*(-ccov|-asan|-shippable)).*-qr.*: []
# do not run on mozilla-central, beta or release: usually just confirms earlier results
default: ['integration']
[Fixed Code]
default: []
4. Vulnerability Existed: not sure
[Added Security Control] [taskcluster/ci/test/misc.yml] [Lines 139-142]
[Old Code]
variants: ["fission"]
[Fixed Code]
variants: ["fission"]
run-without-variant: false
5. Vulnerability Existed: not sure
[Potential Over-Permission Reduction] [taskcluster/ci/test/misc.yml] [Lines 186-189]
[Old Code]
variants: ["fission"]
[Fixed Code]
variants: ["fission"]
run-without-variant: false
6. Vulnerability Existed: not sure
[Added Security Control] [taskcluster/ci/test/misc.yml] [Lines 254-257]
[Old Code]
variants: ["fission"]
[Fixed Code]
variants: ["fission"]
run-without-variant: false
Note: While no specific vulnerabilities were identified, the changes appear to be hardening the configuration by:
1. Adding explicit `run-without-variant: false` controls
2. Simplifying and potentially restricting project run permissions
3. Removing some default behaviors that might have been too permissive
The changes seem focused on making the test configurations more explicit and potentially more secure, though without more context about the specific threat model, we can't be certain about actual vulnerabilities being fixed.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/netwerk/protocol/http/AlternateServices.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/netwerk/protocol/http/AlternateServices.cpp@@ -163,7 +163,7 @@ SpdyInformation* spdyInfo = gHttpHandler->SpdyInfo(); if (!(NS_SUCCEEDED(spdyInfo->GetNPNIndex(npnToken, &spdyIndex)) && spdyInfo->ProtocolEnabled(spdyIndex)) &&- !(isHttp3 && gHttpHandler->IsHttp3Enabled() &&+ !(isHttp3 && StaticPrefs::network_http_http3_enable() && !gHttpHandler->IsHttp3Excluded(hostname.IsEmpty() ? originHost : hostname))) { LOG(("Alt Svc unknown protocol %s, ignoring", npnToken.get()));@@ -935,7 +935,7 @@ } if (rv->IsHttp3() &&- (!gHttpHandler->IsHttp3Enabled() ||+ (!StaticPrefs::network_http_http3_enable() || !gHttpHandler->IsHttp3VersionSupported(rv->NPNToken()) || gHttpHandler->IsHttp3Excluded(rv->AlternateHost()))) { // If Http3 is disabled or the version not supported anymore, remove the
Here's the analysis of the provided code diff for security fixes:
1. Vulnerability Existed: not sure
HTTP/3 Configuration Check [netwerk/protocol/http/AlternateServices.cpp] [Lines 163-166]
Old Code:
`!(isHttp3 && gHttpHandler->IsHttp3Enabled() &&`
Fixed Code:
`!(isHttp3 && StaticPrefs::network_http_http3_enable() &&`
2. Vulnerability Existed: not sure
HTTP/3 Validation Check [netwerk/protocol/http/AlternateServices.cpp] [Lines 935-938]
Old Code:
`if (rv->IsHttp3() && (!gHttpHandler->IsHttp3Enabled() ||`
Fixed Code:
`if (rv->IsHttp3() && (!StaticPrefs::network_http_http3_enable() ||`
Additional Details:
- The changes appear to modify how HTTP/3 support is checked, switching from using `gHttpHandler->IsHttp3Enabled()` to `StaticPrefs::network_http_http3_enable()`
- While this could potentially relate to security (as protocol support checks are important for security), there's no clear vulnerability being fixed here
- The changes might be related to configuration management rather than direct security fixes
- No specific CVE or vulnerability name is apparent from these changes
- The modifications could be part of a larger security hardening effort, but the diff alone doesn't show clear security fixes
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/performance/PerformanceWorker.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/performance/PerformanceWorker.h@@ -8,11 +8,10 @@ #define mozilla_dom_PerformanceWorker_h #include "Performance.h"+#include "mozilla/dom/WorkerPrivate.h" namespace mozilla { namespace dom {--class WorkerPrivate; class PerformanceWorker final : public Performance { public:@@ -94,7 +93,7 @@ } private:- WorkerPrivate* mWorkerPrivate;+ CheckedUnsafePtr<WorkerPrivate> mWorkerPrivate; }; } // namespace dom
Here's the analysis of the provided code diff: 1. Vulnerability Existed: yes [Potential Use-After-Free Vulnerability] [dom/performance/PerformanceWorker.h] [Lines 94] [Old Code] `WorkerPrivate* mWorkerPrivate;` [Fixed Code] `CheckedUnsafePtr<WorkerPrivate> mWorkerPrivate;` Additional Details: The change replaces a raw pointer with `CheckedUnsafePtr`, which is a Mozilla-specific smart pointer that helps prevent use-after-free vulnerabilities. The raw pointer could potentially lead to use-after-free issues if the WorkerPrivate object was deleted while still being referenced. The fix ensures safer memory management by using a wrapper that provides additional safety checks.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/CSS2/visudet/line-height-205.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/CSS2/visudet/line-height-205.html@@ -4,7 +4,6 @@ <link rel="author" title="Florian Rivoal" href="https://florian.rivoal.net"> <link rel="help" href="https://drafts.csswg.org/css2/visudet.html#line-height"> <link rel="match" href="reference/line-height-202-ref.html">-<meta name="flags" content=""> <meta name="assert" content="The height of an inline-level box whose line-height is normal and uses both the first available font and fallback fonts is the same as the union of baseline-aligned adjacent inline-level boxes, each using the various fonts as their primary one.">
Analysis of the provided code diff: 1. Vulnerability Existed: no No specific vulnerability [File] testing/web-platform/tests/css/CSS2/visudet/line-height-205.html [Lines] 4 Old Code: `<meta name="flags" content="">` Fixed Code: (removed line) Additional Details: This appears to be a test file modification where an empty meta tag for "flags" was removed. There's no security implication to this change. Note: The diff shows only the removal of an empty meta tag that was likely used for test configuration purposes. This doesn't appear to be related to any security fix but rather a test file cleanup. No known vulnerabilities are addressed by this change.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/toolkit/components/search/schema/search-engine-config-schema.json+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/toolkit/components/search/schema/search-engine-config-schema.json@@ -319,7 +319,7 @@ "telemetryId": { "type": "string", "title": "Telemetry Id",- "pattern": "^[a-zA-Z0-9-]{0,100}$",+ "pattern": "^[a-zA-Z0-9-$_]{0,100}$", "description": "The telemetry Id as used for some of SEARCH_COUNTS telemetry." }, "webExtension": {@@ -335,7 +335,7 @@ "locale": { "type": "string", "title": "WebExtension Locale",- "pattern": "^[a-zA-Z0-9-]{0,100}$",+ "pattern": "^[a-zA-Z0-9-$_]{0,100}$", "description": "Overrides the WebExtension locales and specifies to use a particular one. Ideally this should only be used when really necessary, otherwise considered deprecated." } }
Here's the analysis following the required format:
1. Vulnerability Existed: not sure
Input Validation Expansion [File] [Lines 319-319, 335-335]
[Old Code]
"pattern": "^[a-zA-Z0-9-]{0,100}$"
[Fixed Code]
"pattern": "^[a-zA-Z0-9-$_]{0,100}$"
Additional Details:
- The change expands the allowed character set in patterns for both "telemetryId" and "webExtension.locale" fields to include dollar signs ($) and underscores (_)
- While this isn't fixing a known vulnerability, it could be related to:
1) Preventing potential validation bypass if these characters were needed but previously rejected
2) Aligning with actual telemetry system requirements that might have needed these characters
- Without more context about how these fields are used, it's difficult to determine if this was fixing a security issue or just a functional requirement change
- The change appears to be expanding validation rather than tightening it, which is unusual for security fixes
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/streams/readable-byte-streams/respond-after-enqueue.any.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/streams/readable-byte-streams/respond-after-enqueue.any.js@@ -1,4 +1,4 @@-// META: global=window,worker,jsshell+// META: global=window,worker 'use strict';
Analysis of the code diff:
1. Vulnerability Existed: no
No specific vulnerability [File] [Lines 1-1]
[Old Code]
// META: global=window,worker,jsshell
[Fixed Code]
// META: global=window,worker
Additional Details:
- The change simply removes 'jsshell' from the list of global environments where this test should run
- This appears to be a test configuration change rather than a security fix
- No actual security vulnerability is being addressed here, just a test scope modification
The modification doesn't indicate any security vulnerability being fixed. It's likely just a test environment adjustment where the test is no longer intended to run in jsshell context. No security implications are apparent from this change.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-backgrounds/box-shadow-overlapping-001.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-backgrounds/box-shadow-overlapping-001.html@@ -9,7 +9,6 @@ <link rel="match" href="reference/box-shadow-overlapping-001-ref.html"> <link rel="stylesheet" type="text/css" href="/fonts/ahem.css">- <meta content="" name="flags"> <meta content="Box shadows do not affect layout. Box shadows take up no space. Box shadows do not affect or influence normal flow of boxes. Therefore, box shadows can 'collide' with other boxes and can overlap other boxes (inline box or line box) or be overlapped by other boxes. In this test, the text ('PED') is before a left outer box-shadow box and such left outer box-shadow box is wide and wide enough to overlap the text 'PED'." name="assert"> <style>
Analysis of the provided code diff: 1. Vulnerability Existed: no No security vulnerability found [File] [Lines 9] [Old Code] <meta content="" name="flags"> [Fixed Code] (removed line) Additional Details: - The change simply removes an empty meta tag with a "flags" attribute. This doesn't appear to be a security-related fix but rather a cleanup of unnecessary markup. - There's no known vulnerability associated with empty meta tags or the "flags" attribute. - The change appears to be part of code maintenance rather than a security fix.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.roundrect.radius.negative.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.roundrect.radius.negative.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); assert_throws_js(RangeError, () => { ctx.roundRect(0, 0, 0, 0, [-1])}); assert_throws_js(RangeError, () => { ctx.roundRect(0, 0, 0, 0, [1, -1])});
Analysis of the provided code diff:
1. Vulnerability Existed: no
Variable Renaming [testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.roundrect.radius.negative.worker.js] [Lines 13-14]
Old Code:
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
Fixed Code:
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
2. Vulnerability Existed: no
No functional changes detected in the test assertions [testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.roundrect.radius.negative.worker.js] [Lines 16-17]
Old Code:
assert_throws_js(RangeError, () => { ctx.roundRect(0, 0, 0, 0, [-1])});
assert_throws_js(RangeError, () => { ctx.roundRect(0, 0, 0, 0, [1, -1])});
Fixed Code:
(same as old code, no changes)
The changes in this diff appear to be purely cosmetic (variable renaming) with no security implications. The test assertions remain unchanged and continue to verify that negative radius values in roundRect() throw RangeError as expected. No security vulnerabilities were identified in this diff.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.canvas.destination-in.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.canvas.destination-in.worker.js@@ -13,11 +13,11 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d');-var offscreenCanvas2 = new OffscreenCanvas(offscreenCanvas.width, offscreenCanvas.height);+var offscreenCanvas2 = new OffscreenCanvas(canvas.width, canvas.height); var ctx2 = offscreenCanvas2.getContext('2d'); var promise = new Promise(function(resolve, reject) { var xhr = new XMLHttpRequest();@@ -35,7 +35,7 @@ ctx.fillRect(0, 0, 100, 50); ctx.globalCompositeOperation = 'destination-in'; ctx.drawImage(offscreenCanvas2, 0, 0);- _assertPixelApprox(offscreenCanvas, 50,25, 0,255,255,96, "50,25", "0,255,255,96", 5);+ _assertPixelApprox(canvas, 50,25, 0,255,255,96, "50,25", "0,255,255,96", 5); }, t_fail); }).then(t_pass, t_fail);
Here's the analysis of the provided code diff following the specified format:
1. Vulnerability Existed: no
Variable Renaming [File] [Lines 13-14, 35]
[Old Code]
```javascript
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
_assertPixelApprox(offscreenCanvas, 50,25, 0,255,255,96, "50,25", "0,255,255,96", 5);
```
[Fixed Code]
```javascript
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
_assertPixelApprox(canvas, 50,25, 0,255,255,96, "50,25", "0,255,255,96", 5);
```
2. Vulnerability Existed: no
Variable Reference Update [File] [Line 17]
[Old Code]
```javascript
var offscreenCanvas2 = new OffscreenCanvas(offscreenCanvas.width, offscreenCanvas.height);
```
[Fixed Code]
```javascript
var offscreenCanvas2 = new OffscreenCanvas(canvas.width, canvas.height);
```
The changes appear to be purely cosmetic/refactoring in nature, involving variable renaming and reference updates to maintain consistency. No security vulnerabilities were identified in this diff. The modifications are focused on improving code readability and consistency rather than addressing security issues.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/browser/themes/shared/downloads/progressmeter.inc.css+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/browser/themes/shared/downloads/progressmeter.inc.css@@ -54,7 +54,7 @@ } /* Ensure we have contrast in selected download items */-#downloadsRichListBox richlistitem[selected] .downloadProgress::-moz-progress-bar {+#downloadsListBox.allDownloadsListBox richlistitem[selected] .downloadProgress::-moz-progress-bar { --download-progress-fill-color: currentColor; --download-progress-flare-color: -moz-accent-color; }
Analyzing the provided code diff for security fixes: 1. Vulnerability Existed: no No specific vulnerability found [File] browser/themes/shared/downloads/progressmeter.inc.css [Lines] 54 [Old Code] `#downloadsRichListBox richlistitem[selected] .downloadProgress::-moz-progress-bar` [Fixed Code] `#downloadsListBox.allDownloadsListBox richlistitem[selected] .downloadProgress::-moz-progress-bar` Additional Details: The change appears to be a CSS selector specificity/accuracy improvement rather than a security fix. The modification updates the selector to target a more specific element (`#downloadsListBox.allDownloadsListBox` instead of `#downloadsRichListBox`), likely for better styling consistency. No security vulnerability is evident in this change.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/streams/piping/abort.any.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/streams/piping/abort.any.js@@ -1,4 +1,4 @@-// META: global=window,worker,jsshell+// META: global=window,worker // META: script=../resources/recording-streams.js // META: script=../resources/test-utils.js 'use strict';
Analysis of the code diff: 1. Vulnerability Existed: no No specific vulnerability found File: testing/web-platform/tests/streams/piping/abort.any.js Lines: 1 Old Code: `// META: global=window,worker,jsshell` Fixed Code: `// META: global=window,worker` Additional Details: The change simply removes 'jsshell' from the list of global environments where the test should run. This appears to be a test configuration change rather than a security fix. No specific vulnerability is being addressed here, just a modification of test scope. The change might indicate that jsshell environment is no longer supported or relevant for these tests, but this doesn't appear to be security-related.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/js/src/vm/BuiltinObjectKind.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/js/src/vm/BuiltinObjectKind.cpp@@ -24,6 +24,8 @@ return JSProto_Int32Array; case BuiltinObjectKind::Iterator: return JSProto_Iterator;+ case BuiltinObjectKind::Map:+ return JSProto_Map; case BuiltinObjectKind::Promise: return JSProto_Promise; case BuiltinObjectKind::RegExp:@@ -61,6 +63,7 @@ case BuiltinObjectKind::ArrayBuffer: case BuiltinObjectKind::Int32Array: case BuiltinObjectKind::Iterator:+ case BuiltinObjectKind::Map: case BuiltinObjectKind::Promise: case BuiltinObjectKind::RegExp: case BuiltinObjectKind::Set:@@ -97,6 +100,9 @@ } if (name == frontend::TaggedParserAtomIndex::WellKnown::Iterator()) { return BuiltinObjectKind::Iterator;+ }+ if (name == frontend::TaggedParserAtomIndex::WellKnown::Map()) {+ return BuiltinObjectKind::Map; } if (name == frontend::TaggedParserAtomIndex::WellKnown::Promise()) { return BuiltinObjectKind::Promise;@@ -166,6 +172,8 @@ return "Int32Array"; case BuiltinObjectKind::Iterator: return "Iterator";+ case BuiltinObjectKind::Map:+ return "Map"; case BuiltinObjectKind::Promise: return "Promise"; case BuiltinObjectKind::RegExp:
Analyzing the provided code diff, it appears to be adding support for the `Map` builtin object type. Here's the analysis following the required format: 1. Vulnerability Existed: no [No Vulnerability Found] [js/src/vm/BuiltinObjectKind.cpp] [Lines 24,61,97,166] [Old Code: Missing Map case in switch statements and checks] [Fixed Code: Added Map case in switch statements and checks] This diff shows the addition of support for the `Map` builtin object type in multiple places in the file. The changes include: 1. Adding a case for `BuiltinObjectKind::Map` in the `BuiltinObjectToProto` function 2. Adding `BuiltinObjectKind::Map` to the switch case in `IsBuiltinConstructor` 3. Adding a check for `Map` in `BuiltinObjectKindForName` 4. Adding a string representation for `Map` in `BuiltinObjectKindName` These changes appear to be feature additions rather than security fixes, as they're consistently adding support for a new builtin type rather than correcting any insecure code patterns. The changes follow the same pattern as other existing builtin types in the file.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/devtools/client/debugger/src/reducers/tests/sources.spec.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/devtools/client/debugger/src/reducers/tests/sources.spec.js@@ -2,7 +2,8 @@ * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at <http://mozilla.org/MPL/2.0/>. */-import update, { initialSourcesState, getDisplayedSources } from "../sources";+import update, { initialSourcesState } from "../sources";+import { getDisplayedSources } from "../../selectors/sources"; import { initialThreadsState } from "../threads"; import updateSourceActors from "../source-actors"; import { prefs } from "../../utils/prefs";
Let me analyze the code diff for security fixes.
Vulnerability Existed: no
[Code Organization Improvement] [devtools/client/debugger/src/reducers/tests/sources.spec.js] [Lines 2-3]
[Old Code]
import update, { initialSourcesState, getDisplayedSources } from "../sources";
[Fixed Code]
import update, { initialSourcesState } from "../sources";
import { getDisplayedSources } from "../../selectors/sources";
Analysis:
1. This appears to be a code organization improvement rather than a security fix.
2. The change separates the import of `getDisplayedSources` from the sources reducer file to its proper location in the selectors directory.
3. No actual security vulnerability is being fixed here - it's just better code organization and separation of concerns.
4. The functionality remains the same, just imported from a more appropriate location.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/browser/components/downloads/test/browser/browser_downloads_context_menu_always_open_similar_files.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/browser/components/downloads/test/browser/browser_downloads_context_menu_always_open_similar_files.js@@ -39,7 +39,11 @@ info("Setting path for download file"); // Set target for download file. Otherwise, file will default to .file instead of txt // when we prepare our downloads - particularly in task_addDownloads().- let target = FileUtils.getFile("TmpD", ["downloaded.txt"]);+ let targetPath = PathUtils.join(+ await PathUtils.getTempDir(),+ "downloaded.txt"+ );+ let target = new FileUtils.File(targetPath); target.createUnique(Ci.nsIFile.NORMAL_FILE_TYPE, FileUtils.PERMS_FILE); downloads.push({ state: DownloadsCommon.DOWNLOAD_FINISHED,
Based on the provided code diff, here's the analysis:
Vulnerability Existed: not sure
Potential Path Manipulation Vulnerability [browser/components/downloads/test/browser/browser_downloads_context_menu_always_open_similar_files.js] [Lines 39-43]
[Old Code]
let target = FileUtils.getFile("TmpD", ["downloaded.txt"]);
[Fixed Code]
let targetPath = PathUtils.join(
await PathUtils.getTempDir(),
"downloaded.txt"
);
let target = new FileUtils.File(targetPath);
Additional Details:
The change appears to be updating how temporary file paths are constructed, moving from the older FileUtils.getFile() method to using PathUtils.join() with an explicitly obtained temp directory. While this doesn't clearly indicate a security vulnerability, it does represent a more modern and potentially safer way to handle file paths. The change could be related to path traversal prevention or more reliable temp file handling, but without more context about the specific security concern being addressed, we can't be certain.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.css-color-4-hsl-7.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.css-color-4-hsl-7.worker.js@@ -13,14 +13,14 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillStyle = 'hsl(133.33333333grad, 100.0%, 50.0%)'; ctx.fillRect(0, 0, 100, 50);-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255"); t.done(); });
Here's the analysis of the provided code diff:
1. Vulnerability Existed: no
Variable Renaming [File] [Lines 13-14, 20]
Old Code:
```javascript
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
```
Fixed Code:
```javascript
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
```
2. Vulnerability Existed: no
Variable Renaming [File] [Line 20]
Old Code:
```javascript
_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
```
Fixed Code:
```javascript
_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
```
The changes appear to be purely cosmetic, renaming the variable `offscreenCanvas` to `canvas` for consistency or clarity. There are no security vulnerabilities being fixed in this diff - it's just a variable name change that doesn't affect functionality or security. The actual canvas operations and assertions remain unchanged.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/python/mozbuild/mozbuild/test/configure/test_compile_checks.py+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/python/mozbuild/mozbuild/test/configure/test_compile_checks.py@@ -59,6 +59,10 @@ @depends(when=True) def stlport_cppflags():+ return []++ @depends(when=True)+ def linker_ldflags(): return [] target = depends(when=True)(lambda: True)
Let me analyze the diff for potential security vulnerabilities.
Vulnerability Existed: no
No specific vulnerability found [File] python/mozbuild/mozbuild/test/configure/test_compile_checks.py [Lines] 59-63
[Old Code]
@depends(when=True)
def stlport_cppflags():
return []
[Fixed Code]
@depends(when=True)
def stlport_cppflags():
return []
@depends(when=True)
def linker_ldflags():
return []
The diff shows an addition of a new function `linker_ldflags()` that returns an empty list, similar to the existing `stlport_cppflags()` function. This appears to be a test code addition rather than a security fix. There are no obvious security vulnerabilities being addressed in this change. The modification is simply adding a new test case for linker flags configuration.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/thiserror-impl/src/fmt.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/thiserror-impl/src/fmt.rs@@ -1,8 +1,8 @@ use crate::ast::Field;-use crate::attr::Display;+use crate::attr::{Display, Trait}; use proc_macro2::TokenTree; use quote::{format_ident, quote_spanned};-use std::collections::HashSet as Set;+use std::collections::{BTreeSet as Set, HashMap as Map}; use syn::ext::IdentExt; use syn::parse::{ParseStream, Parser}; use syn::{Ident, Index, LitStr, Member, Result, Token};@@ -12,7 +12,10 @@ pub fn expand_shorthand(&mut self, fields: &[Field]) { let raw_args = self.args.clone(); let mut named_args = explicit_named_args.parse2(raw_args).unwrap();- let fields: Set<Member> = fields.iter().map(|f| f.member.clone()).collect();+ let mut member_index = Map::new();+ for (i, field) in fields.iter().enumerate() {+ member_index.insert(&field.member, i);+ } let span = self.fmt.span(); let fmt = self.fmt.value();@@ -20,6 +23,7 @@ let mut out = String::new(); let mut args = self.args.clone(); let mut has_bonus_display = false;+ let mut implied_bounds = Set::new(); let mut has_trailing_comma = false; if let Some(TokenTree::Punct(punct)) = args.clone().into_iter().last() {@@ -47,7 +51,7 @@ Ok(index) => Member::Unnamed(Index { index, span }), Err(_) => return, };- if !fields.contains(&member) {+ if !member_index.contains_key(&member) { out += ∫ continue; }@@ -60,6 +64,24 @@ } _ => continue, };+ if let Some(&field) = member_index.get(&member) {+ let end_spec = match read.find('}') {+ Some(end_spec) => end_spec,+ None => return,+ };+ let bound = match read[..end_spec].chars().next_back() {+ Some('?') => Trait::Debug,+ Some('o') => Trait::Octal,+ Some('x') => Trait::LowerHex,+ Some('X') => Trait::UpperHex,+ Some('p') => Trait::Pointer,+ Some('b') => Trait::Binary,+ Some('e') => Trait::LowerExp,+ Some('E') => Trait::UpperExp,+ Some(_) | None => Trait::Display,+ };+ implied_bounds.insert((field, bound));+ } let local = match &member { Member::Unnamed(index) => format_ident!("_{}", index), Member::Named(ident) => ident.clone(),@@ -82,7 +104,7 @@ args.extend(quote_spanned!(span=> ,)); } args.extend(quote_spanned!(span=> #formatvar = #local));- if read.starts_with('}') && fields.contains(&member) {+ if read.starts_with('}') && member_index.contains_key(&member) { has_bonus_display = true; args.extend(quote_spanned!(span=> .as_display())); }@@ -93,6 +115,7 @@ self.fmt = LitStr::new(&out, self.fmt.span()); self.args = args; self.has_bonus_display = has_bonus_display;+ self.implied_bounds = implied_bounds; } }
I'll analyze the provided code diff for security fixes following the specified format.
Vulnerability Existed: not sure
[Potential Data Structure Change] [third_party/rust/thiserror-impl/src/fmt.rs] [1-4,12-14]
[Old Code]
use crate::ast::Field;
use crate::attr::Display;
use proc_macro2::TokenTree;
use quote::{format_ident, quote_spanned};
use std::collections::HashSet as Set;
pub fn expand_shorthand(&mut self, fields: &[Field]) {
let raw_args = self.args.clone();
let mut named_args = explicit_named_args.parse2(raw_args).unwrap();
let fields: Set<Member> = fields.iter().map(|f| f.member.clone()).collect();
[Fixed Code]
use crate::ast::Field;
use crate::attr::{Display, Trait};
use proc_macro2::TokenTree;
use quote::{format_ident, quote_spanned};
use std::collections::{BTreeSet as Set, HashMap as Map};
pub fn expand_shorthand(&mut self, fields: &[Field]) {
let raw_args = self.args.clone();
let mut named_args = explicit_named_args.parse2(raw_args).unwrap();
let mut member_index = Map::new();
for (i, field) in fields.iter().enumerate() {
member_index.insert(&field.member, i);
}
Vulnerability Existed: not sure
[Potential Logic Change] [third_party/rust/thiserror-impl/src/fmt.rs] [47-51,64-82]
[Old Code]
if !fields.contains(&member) {
out += ∫
continue;
}
[Fixed Code]
if !member_index.contains_key(&member) {
out += ∫
continue;
}
if let Some(&field) = member_index.get(&member) {
let end_spec = match read.find('}') {
Some(end_spec) => end_spec,
None => return,
};
let bound = match read[..end_spec].chars().next_back() {
Some('?') => Trait::Debug,
Some('o') => Trait::Octal,
Some('x') => Trait::LowerHex,
Some('X') => Trait::UpperHex,
Some('p') => Trait::Pointer,
Some('b') => Trait::Binary,
Some('e') => Trait::LowerExp,
Some('E') => Trait::UpperExp,
Some(_) | None => Trait::Display,
};
implied_bounds.insert((field, bound));
}
The changes appear to be more about functionality improvements rather than direct security fixes. The main changes are:
1. Switching from HashSet to HashMap/BTreeSet for better data organization
2. Adding new trait bound detection logic
3. Tracking implied bounds for fields
While these changes could potentially affect security by improving data handling and validation, I don't see any clear security vulnerabilities being fixed in this diff. The changes seem focused on adding features and improving internal data structures rather than patching security issues.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/async-task/README.md+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/async-task/README.md@@ -1,9 +1,9 @@ # async-task-[](-https://github.com/stjepang/async-task/actions)-[](-https://github.com/stjepang/async-task)+[](+https://github.com/smol-rs/async-task/actions)+[](+https://github.com/smol-rs/async-task) []( https://crates.io/crates/async-task) [](
Based on the provided diff content, this appears to be a documentation/README update rather than a code change that would fix security vulnerabilities. Here's the analysis: Vulnerability Existed: no [No security vulnerability found] [third_party/rust/async-task/README.md] [Lines 1-9] [Old Code] []( https://github.com/stjepang/async-task/actions) []( https://github.com/stjepang/async-task) [Fixed Code] []( https://github.com/smol-rs/async-task/actions) []( https://github.com/smol-rs/async-task) Additional Details: - The changes only update repository URLs and license badge formatting - The repository ownership changed from stjepang to smol-rs - The license information was reformatted but remains the same (MIT/Apache-2.0) - No actual code changes were made that would affect security
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/selectors/old-tests/css3-modsel-7.xml+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/selectors/old-tests/css3-modsel-7.xml@@ -9,7 +9,6 @@ span[class~="b"] { background-color : red }]]></style> <link rel="author" title="Daniel Glazman" href="http://glazman.org/"/> <link rel="help" href="https://www.w3.org/TR/css3-selectors/#selectors"/> <!-- bogus link to make sure it gets found -->- <meta name="flags" content="" /> </head> <body> <p class="a b c">This paragraph should have green background because CLASS
Based on the provided diff, I'll analyze it for security vulnerabilities: Vulnerability Existed: no No security vulnerability found [File] [Lines 9] [Old Code] <meta name="flags" content="" /> [Fixed Code] (removed line) Additional Details: - The change simply removes a meta tag with empty flags attribute - This appears to be test cleanup rather than a security fix - No known vulnerability patterns are present in this change - The modification doesn't affect any security-sensitive functionality The diff shows a minor cleanup change in a test file, removing an unused meta tag. There's no indication this was related to any security vulnerability. The change appears to be part of routine test maintenance rather than addressing any security concern.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.