Softpedia >Windows >Internet >Browsers >Firefox ESR >  Changelog

Firefox ESR Changelog

What's new in Firefox ESR 115.9.1

Apr 15, 2024
  • Security fix:
  • CVE-2024-29944: Privileged JavaScript Execution via Event Handlers

New in Firefox ESR 115.9.0 (Mar 22, 2024)

  • Various security fixes and other quality improvements.

New in Firefox ESR 115.6.0 (Jan 23, 2024)

  • Various security fixes and other quality improvements.

New in Firefox ESR 115.4.0 (Nov 14, 2023)

  • Various security fixes and other quality improvements:
  • CVE-2023-5721: Queued up rendering could have allowed websites to clickjack
  • CVE-2023-5732: Address bar spoofing via bidirectional characters
  • CVE-2023-5724: Large WebGL draw could have led to a crash
  • CVE-2023-5725: WebExtensions could open arbitrary URLs
  • CVE-2023-5727: Download Protections were bypassed by .msix, .msixbundle, .appx, and .appxbundle files on Windows
  • CVE-2023-5728: Improper object tracking during GC in the JavaScript engine could have led to a crash.
  • CVE-2023-5730: Memory safety bugs fixed in Firefox 119, Firefox ESR 115.4, and Thunderbird 115.4.1
  • HTML
  • The modulepreload keyword for the rel attribute of the <link> element is now supported. This allows early (and asynchronous) fetching of module scripts and their dependencies in parallel, which are then stored in the document's module map (Firefox bug 1425310).
  • CSS:
  • The CSS animation-composition property is now supported by default. You can use this property to specify the composite operation to use when multiple animations affect the same property simultaneously. (Firefox bug 1823862).
  • The supports-conditions in the CSS @import at-rule supports() function is now supported by default. This feature allows stylesheets to be imported only if the specified feature is supported in the user's browser. (Firefox bug 1830779).
  • JavaScript:
  • The Array.fromAsync() static method is now supported. The method asynchronously returns a new, shallow-copied Array instance from an async iterable, iterable, or array-like object (Firefox bug 1795816).
  • The Array and TypedArray methods Array.toReversed(), Array.toSorted(), Array.toSpliced(), Array.with(), TypedArrays.toReversed(), TypedArrays.toSorted(), and TypedArrays.with() are now supported. These methods return a new array with elements that have been shallow copied (similarly named methods without the to prefix modify the array elements in place). (Firefox bug 1811057).
  • HTTP
  • The Sec-Purpose HTTP fetch metadata request header is now included in requests to Prefetch resources. This allows servers to provide any special handling that might be needed, such as adjusting the caching expiry for the request (Firefox bug 1836328).
  • APIs
  • The Response.json() static method is now supported, making it easier to construct Response objects for returning JSON data. The method will be useful for service workers and any other code that needs to respond to browser requests with JSON data (Firefox bug 1758943).
  • The URL.canParse() static method can now be used to parse and validate an absolute URL, or a relative URL and base URL. This provides a fast and easy way to check if URLs are valid, instead of constructing them within a try...catch block and handling exceptions. (Firefox bug 1823354).
  • The URLSearchParams.has() and URLSearchParams.delete() methods now support the optional value argument. This allows matching a search parameter on both the name and value, making it possible to work with query strings that contain multiple search parameters that have the same name. (Firefox bug 1831587).
  • Removals
  • The deprecated mozPreservesPitch alias of HTMLMediaElement.preservesPitch has been disabled by default, and may be fully removed in a future release (Firefox bug 1831205).
  • WebDriver conformance (WebDriver BiDi, Marionette)
  • WebDriver BiDi
  • The payload now always includes stack traces for responses and events without capping it after the first 50 "throw" usages in a realm (Firefox bug 1791715).
  • When using input.performActions, any ongoing wheel transaction is now reset at the end of the command to not retain state and to not leak into following actions within the same tab (Firefox bug 1821733).
  • When using a pointerMove action with input.performActions, an invalid element origin now correctly raises a "no such error" failure (Firefox bug 1832028).
  • A race condition for the initial page load has been fixed that could appear when directly interacting with a newly opened tab or window (Firefox bug 1832891).
  • Marionette
  • Both the commands WebDriver:GetComputedLabel and WebDriver:GetComputedRole now correctly wait for the requested accessibility object for an element to exist if it just got inserted into the DOM (Firefox bug 1828816).
  • All instances of window.setTimeout() in our privileged code running in content processes now use a variant timer that is not affected by the throttling of the timers in case the given tab for automation is in the background.
  • Firefox 115 for developers:
  • This article provides information about the changes in Firefox 115 that affect developers. Firefox 115 was released on July 04, 2023.
  • Changes for web developers
  • HTML
  • The modulepreload keyword for the rel attribute of the <link> element is now supported. This allows early (and asynchronous) fetching of module scripts and their dependencies in parallel, which are then stored in the document's module map (Firefox bug 1425310).
  • CSS:
  • The CSS animation-composition property is now supported by default. You can use this property to specify the composite operation to use when multiple animations affect the same property simultaneously. (Firefox bug 1823862).
  • The supports-conditions in the CSS @import at-rule supports() function is now supported by default. This feature allows stylesheets to be imported only if the specified feature is supported in the user's browser. (Firefox bug 1830779).
  • JavaScript:
  • The Array.fromAsync() static method is now supported. The method asynchronously returns a new, shallow-copied Array instance from an async iterable, iterable, or array-like object (Firefox bug 1795816).
  • The Array and TypedArray methods Array.toReversed(), Array.toSorted(), Array.toSpliced(), Array.with(), TypedArrays.toReversed(), TypedArrays.toSorted(), and TypedArrays.with() are now supported. These methods return a new array with elements that have been shallow copied (similarly named methods without the to prefix modify the array elements in place). (Firefox bug 1811057).
  • HTTP:
  • The Sec-Purpose HTTP fetch metadata request header is now included in requests to Prefetch resources. This allows servers to provide any special handling that might be needed, such as adjusting the caching expiry for the request (Firefox bug 1836328).
  • APIs:
  • The Response.json() static method is now supported, making it easier to construct Response objects for returning JSON data. The method will be useful for service workers and any other code that needs to respond to browser requests with JSON data (Firefox bug 1758943).
  • The URL.canParse() static method can now be used to parse and validate an absolute URL, or a relative URL and base URL. This provides a fast and easy way to check if URLs are valid, instead of constructing them within a try...catch block and handling exceptions. (Firefox bug 1823354).
  • The URLSearchParams.has() and URLSearchParams.delete() methods now support the optional value argument. This allows matching a search parameter on both the name and value, making it possible to work with query strings that contain multiple search parameters that have the same name. (Firefox bug 1831587).
  • Removals:
  • The deprecated mozPreservesPitch alias of HTMLMediaElement.preservesPitch has been disabled by default, and may be fully removed in a future release (Firefox bug 1831205).
  • WebDriver conformance (WebDriver BiDi, Marionette):
  • WebDriver BiDi:
  • The payload now always includes stack traces for responses and events without capping it after the first 50 "throw" usages in a realm (Firefox bug 1791715).
  • When using input.performActions, any ongoing wheel transaction is now reset at the end of the command to not retain state and to not leak into following actions within the same tab (Firefox bug 1821733).
  • When using a pointerMove action with input.performActions, an invalid element origin now correctly raises a "no such error" failure (Firefox bug 1832028).
  • A race condition for the initial page load has been fixed that could appear when directly interacting with a newly opened tab or window (Firefox bug 1832891).
  • Marionette:
  • Both the commands WebDriver:GetComputedLabel and WebDriver:GetComputedRole now correctly wait for the requested accessibility object for an element to exist if it just got inserted into the DOM (Firefox bug 1828816).
  • All instances of window.setTimeout() in our privileged code running in content processes now use a variant timer that is not affected by the throttling of the timers in case the given tab for automation is in the background.
  • Changes for add-on developers:
  • To support its deprecation from Manifest V3 extensions, manifest key property browser_style defaults to false in options_ui and sidebar_action for Manifest V3 extensions (Firefox bug 1830710). See Manifest v3 migration for information about transitioning from browser_style in Manifest V3 extensions.
  • The commands.onChanged event, which enables web extensions to listen for changes to command shortcuts, has been added (Firefox bug 1801531).
  • Support has been added for storage.session, which provides the ability to store data in memory for the duration of the browser session (Firefox bug 18237131).

New in Firefox ESR 115.3.1 (Oct 17, 2023)

  • Security fix:
  • CVE-2023-5217: Heap buffer overflow in libvpx

New in Firefox ESR 115.3.0 (Sep 28, 2023)

  • Various security fixes and other quality improvements:
  • CVE-2023-5168: Out-of-bounds write in FilterNodeD2D1
  • CVE-2023-5169: Out-of-bounds write in PathOps
  • CVE-2023-5171: Use-after-free in Ion Compiler
  • CVE-2023-5174: Double-free in process spawning on Windows
  • CVE-2023-5176: Memory safety bugs fixed in Firefox 118, Firefox ESR 115.3, and Thunderbird 115.3

New in Firefox ESR 115.2.1 (Sep 14, 2023)

  • Security fix:
  • CVE-2023-4863: Heap buffer overflow in libwebp

New in Firefox ESR 115.2.0 (Sep 12, 2023)

  • Various security fixes and other quality improvements:
  • CVE-2023-4573: Memory corruption in IPC CanvasTranslator
  • CVE-2023-4574: Memory corruption in IPC ColorPickerShownCallback
  • CVE-2023-4575: Memory corruption in IPC FilePickerShownCallback
  • CVE-2023-4576: Integer Overflow in RecordedSourceSurfaceCreation
  • CVE-2023-4581: XLL file extensions were downloadable without warnings
  • CVE-2023-4584: Memory safety bugs fixed in Firefox 117, Firefox ESR 102.15, Firefox ESR 115.2, Thunderbird 102.15, and Thunderbird 115.2

New in Firefox ESR 115.2.0 RC 1 (Aug 21, 2023)

  • Various security fixes:
  • CVE-2023-4045: Offscreen Canvas could have bypassed cross-origin restrictions
  • CVE-2023-4046: Incorrect value used during WASM compilation
  • CVE-2023-4047: Potential permissions request bypass via clickjacking
  • CVE-2023-4048: Crash in DOMParser due to out-of-memory conditions
  • CVE-2023-4049: Fix potential race conditions when releasing platform objects
  • CVE-2023-4050: Stack buffer overflow in StorageManager
  • CVE-2023-4052: File deletion and privilege escalation through Firefox uninstaller
  • CVE-2023-4054: Lack of warning when opening appref-ms files
  • CVE-2023-4055: Cookie jar overflow caused unexpected cookie jar state
  • CVE-2023-4056: Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1, Firefox ESR 102.14, Thunderbird 115.1, and Thunderbird 102.14
  • CVE-2023-4057: Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1, and Thunderbird 115.1

New in Firefox ESR 102.11.0 (May 10, 2023)

  • Various security fixes and other quality improvements:
  • CVE-2023-32205: Browser prompts could have been obscured by popups
  • CVE-2023-32206: Crash in RLBox Expat driver
  • CVE-2023-32207: Potential permissions request bypass via clickjacking
  • CVE-2023-32211: Content process crash due to invalid wasm code
  • CVE-2023-32212: Potential spoof due to obscured address bar
  • CVE-2023-32213: Potential memory corruption in FileReader::DoReadData()
  • CVE-2023-32214: Potential DoS via exposed protocol handlers
  • CVE-2023-32215: Memory safety bugs fixed in Firefox 113 and Firefox ESR 102.11

New in Firefox ESR 102.10.0 (May 2, 2023)

  • Various security fixes:
  • CVE-2023-29532: Mozilla Maintenance Service Write-lock bypass
  • CVE-2023-29533: Fullscreen notification obscured
  • CVE-2023-1999: Double-free in libwebp
  • CVE-2023-29535: Potential Memory Corruption following Garbage Collector compaction
  • CVE-2023-29536: Invalid free from JavaScript code
  • CVE-2023-29539: Content-Disposition filename truncation leads to Reflected File Download
  • CVE-2023-29542: Bypass of file download extension restrictions
  • CVE-2023-29545: Windows Save As dialog resolved environment variables
  • CVE-2023-29548: Incorrect optimization result on ARM64
  • CVE-2023-1945: Memory Corruption in Safe Browsing Code
  • CVE-2023-29550: Memory safety bugs fixed in Firefox 112 and Firefox ESR 102.10
  • Developers:
  • APIs:
  • The non-standard interfaces IDBMutableFile, IDBFileHandle, IDBFileRequest, and the method IDBDatabase.createMutableFile() have been disabled by default in preparation for removal in a future release (Firefox bug 1764771).
  • Transform streams are now supported, allowing you to pipe from ReadableStream to a WritableStream, executing a transformation on the chunks. The update includes the new interfaces TransformStream and TransformStreamDefaultController and the method ReadableStream.pipeThrough() (Firefox bug 1767507).
  • Readable byte streams are now supported, allowing efficient zero-byte transfer of data from an underlying byte source to a consumer (bypassing the stream's internal queues). The new interfaces are ReadableStreamBYOBReader, ReadableByteStreamController and ReadableStreamBYOBRequest (Firefox bug 1767342).
  • Security:
  • Support of the wasm-unsafe-eval CSP policy directive has been implemented. A document with a CSP that restricts scripts will no longer load and execute WebAssembly unless the CSP uses 'wasm-unsafe-eval' or the existing 'unsafe-eval' keyword (Firefox bug 1740263).
  • DOM:
  • The Firefox-only property Window.sidebar has been moved behind a preference and is planned for removal (Firefox bug 1768486).
  • WebDriver conformance:
  • WebDriver BiDi:
  • There are some improvements to Webdriver BiDi's browsingContext.navigate
  • Fixed edge cases where the navigation could incorrectly timeout (Firefox bug 1766217).
  • Added support for hash changes (Firefox bug 1763127).
  • Added support navigation to error pages (Firefox bug 1763124).
  • Marionette:
  • Allow marionette to connect to a windowless instance of Firefox (Firefox bug 1726465).
  • Fixed issue where WebDriver:Navigate with a PageLoadStrategy of "none" returns before navigation has started (Firefox bug 1754132).
  • Fixed a potential race condition in WebDriver:SwitchToWindow when switching to a different tab (Firefox bug 1749666).
  • Changes for add-on developers:
  • The scripting API, which provides features to execute script, insert and remove CSS, and manage the registration of content scripts is available to Manifest V2 extensions (Firefox bug 1766615).
  • The nonPersistentCookies option of the privacy.websites cookieConfig property has been deprecated (Firefox bug 1754924).
  • Manifest V3 preview features:
  • With the introduction of support for the 'wasm-unsafe-eval' CSP keyword in Firefox (Firefox bug 1740263), Manifest V3 extensions are now required to specify this keyword in the content_security_policy manifest key to use WebAssembly. For backwards-compatibility, Manifest V2 extensions can still use WebAssembly without the keyword (Firefox bug 1766027).

New in Firefox ESR 102.9.0 (Apr 10, 2023)

  • Various security fixes.

New in Firefox ESR 102.8.0 (Mar 13, 2023)

  • Various security fixes.

New in Firefox ESR 102.7.0 (Feb 6, 2023)

  • Various stability, functionality, and security fixes.

New in Firefox ESR 102.6.0 (Jan 16, 2023)

  • Various stability, functionality, and security fixes:
  • CVE-2022-46880: Use-after-free in WebGL
  • CVE-2022-46872: Arbitrary file read from a compromised content process
  • CVE-2022-46881: Memory corruption in WebGL
  • CVE-2022-46874: Drag and Dropped Filenames could have been truncated to malicious extensions
  • CVE-2022-46882: Use-after-free in WebGL
  • CVE-2022-46878: Memory safety bugs fixed in Firefox 108 and Firefox ESR 102.6

New in Firefox ESR 102.5.0 (Dec 12, 2022)

  • Various stability, functionality, and security fixes.

New in Firefox ESR 102.4.0 (Oct 19, 2022)

  • Various stability, functionality, and security fixes:
  • CVE-2022-42927: Same-origin policy violation could have leaked cross-origin URLs
  • CVE-2022-42928: Memory Corruption in JS Engine
  • CVE-2022-42929: Denial of Service via window.print
  • CVE-2022-42932: Memory safety bugs fixed in Firefox 106 and Firefox ESR 102.4

New in Firefox ESR 102.3.0 (Sep 21, 2022)

  • Fixed:
  • Various stability, functionality, and security fixes.

New in Firefox ESR 102.2.0 (Sep 19, 2022)

  • Fixed:
  • Address bar spoofing via XSLT error handling
  • Cross-origin XSLT Documents would have inherited the parent's permissions
  • Data race and potential use-after-free in PK11_ChangePW
  • Memory safety bugs fixed in Firefox 104 and Firefox ESR 102.2
  • Memory safety bugs fixed in Firefox 104, Firefox ESR 102.2, and Firefox ESR 91.13

New in Firefox ESR 102.1.0 (Jul 26, 2022)

  • Fixed:
  • Fixed bookmark shortcut creation by dragging to Windows File Explorer and dropping partially broken (bug 1774683)
  • Fixed bookmarks sidebar flashing white when opened in dark mode (bug 1776157)
  • Fixed multilingual spell checking not working with content in both English and a non-Latin alphabet (bug 1773802)
  • Developer tools: Fixed an issue where the console output keep getting scrolled to the bottom when the last visible message is an evaluation result (bug 1776262)
  • Fixed Delete cookies and site data when Firefox is closed checkbox getting disabled on startup (bug 1777419)
  • Various stability fixes

New in Firefox ESR 91.10.0 (Jun 27, 2022)

  • Fixed:
  • Security Vulnerabilities fixed in Firefox ESR 91.10
  • CVE-2022-31736: Cross-Origin resource's length leaked
  • CVE-2022-31737: Heap buffer overflow in WebGL
  • CVE-2022-31738: Browser window spoof using fullscreen mode
  • CVE-2022-31739: Attacker-influenced path traversal when saving downloaded files
  • CVE-2022-31740: Register allocation problem in WASM on arm64
  • CVE-2022-31742: Querying a WebAuthn token with a large number of allowCredential entries may have leaked cross-origin information
  • CVE-2022-31747: Memory safety bugs fixed in Firefox 101 and Firefox ESR 91.10

New in Firefox ESR 91.9.1 (May 20, 2022)

  • Fixed:
  • Security fix:
  • CVE-2022-1802: Prototype pollution in Top-Level Await implementation
  • CVE-2022-1529: Untrusted input used in JavaScript object indexing, leading to prototype pollution

New in Firefox ESR 91.7.1 (Mar 31, 2022)

  • Changed:
  • Yandex and Mail.ru have been removed as optional search providers in the drop-down search menu in Firefox.
  • If you previously installed a customized version of Firefox with Yandex or Mail.ru, offered through partner distribution channels, this release removes those customizations, including add-ons and default bookmarks. Where applicable, your browser will revert back to default settings, as offered by Mozilla. All other releases of Firefox remain unaffected by the change.

New in Firefox ESR 91.6.1 (Mar 5, 2022)

  • Security fix:
  • CVE-2022-26485: Use-after-free in XSLT parameter processing
  • CVE-2022-26486: Use-after-free in WebGPU IPC Framework

New in Firefox ESR 91.5.1 (Feb 1, 2022)

  • Fixed an issue that allowed unexpected data to be submitted in some of our search telemetry (bug 1752317)

New in Firefox ESR 91.4.1 (Jan 6, 2022)

  • Fixed frequent MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING error messages when trying to connect to various microsoft.com domains (bug 1745600)

New in Firefox ESR 91.2.0 (Nov 1, 2021)

  • Various stability, functionality, and security fixes:
  • CVE-2021-38496: Use-after-free in MessageTask
  • CVE-2021-38497: Validation message could have been overlaid on another origin
  • CVE-2021-38498: Use-after-free of nsLanguageAtomService object
  • CVE-2021-32810: Data race in crossbeam-deque
  • CVE-2021-38500: Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15, and Firefox ESR 91.2
  • CVE-2021-38501: Memory safety bugs fixed in Firefox 93 and Firefox ESR 91.2

New in Firefox ESR 91.1.0 (Sep 8, 2021)

  • Fixed:
  • Various stability, functionality, and security fixes

New in Firefox ESR 78.10.1 (May 4, 2021)

  • Fixed:
  • Resolved an issue caused by a recent Widevine plugin update which prevented some purchased video content from playing correctly (bug 1705138)

New in Firefox ESR 78.10.0 (Apr 20, 2021)

  • Various stability, functionality, and security fixes:
  • CVE-2021-23994: Out of bound write due to lazy initialization
  • CVE-2021-23995: Use-after-free in Responsive Design Mode
  • CVE-2021-23998: Secure Lock icon could have been spoofed
  • CVE-2021-23961: More internal network hosts could have been probed by a malicious webpage
  • CVE-2021-23999: Blob URLs may have been granted additional privileges
  • CVE-2021-24002: Arbitrary FTP command execution on FTP servers using an encoded URL
  • CVE-2021-29945: Incorrect size computation in WebAssembly JIT could lead to null-reads
  • CVE-2021-29946: Port blocking could be bypassed
  • Changes for web developers:
  • Developer Tools:
  • Debugger:
  • You can now change the URL accessed by the remote device from the about:debugging panel. (bug 1617237)
  • The Disable JavaScript menu item in the Debugger now only affects the current tab, and is reset when the Developer Tools are closed. (bug 1640318)
  • Logpoints can map variable names in source-mapped code back to their original names, if you enable Maps in the Scopes pane. (bug 1536857)
  • Network Monitor:
  • In the Network Monitor, you can now resize the columns of the request list by dragging the column borders anywhere in the table. (bug 1618409)
  • The request details panel in the Network Monitor has some UX improvements. (bug 1631302, bug 1631295)
  • If a request was blocked, the request list now shows the reason, such as an add-on, CSP, CORS, or Enhanced Tracking Protection. (bug 1555057, bug 1445637, bug 1556451)
  • Other tools:
  • The Accessibility inspector is out of beta. You can use it to check for various accessibility issues on your site. (bug 1602075)
  • Uncaught promise errors now provide all details in the Console, including their name and stack. (bug 1636590)
  • CSS:
  • The :is() and :where() pseudo-classes are now enabled by default (bug 1632646).
  • The :read-only and :read-write pseudo-classes are now supported without prefixes (bug 312971).
  • In addition, :read-write styles are no longer applied to disabled <input> and <textarea> elements, which was a violation of the HTML spec (bug 888884).
  • JavaScript:
  • The Intl.ListFormat API is now supported (bug 1589095).
  • The Intl.NumberFormat() constructor has been extended to support new options specified in the Intl.NumberFormat Unified API Proposal (bug 1633836). This includes among other things:
  • Support for scientific notations
  • Unit, currency and sign display formatting
  • The RegExp engine has been updated and now supports all new features introduced in ECMAScript 2018:
  • Lookbehind assertions (bug 1225665)
  • RegExp.prototype.dotAll (bug 1361856)
  • Unicode property escapes (bug 1361876)
  • Named capture groups (bug 1362154)
  • Due to a WebIDL spec change in mid-2020, we've added a Symbol.toStringTag property to all DOM prototype objects (bug 1277799).
  • The garbage collection of WeakMap objects has been improved. WeakMaps are now marked incrementally (bug 1167452).
  • APIs:
  • DOM:
  • The ParentNode.replaceChildren() method has been implemented (bug 1626015).
  • Service workers:
  • Extended Support Releases (ESR): Firefox 78 is the first ESR release that supports Service workers (and the Push API). Earlier ESR releases had no support (bug 1547023).
  • WebAssembly:
  • Wasm Multi-value is now supported, meaning that WebAssembly functions can now return multiple values, and instruction sequences can consume and produce multiple stack values (bug 1628321).
  • WebAssembly now supports import and export of 64-bit integer function parameters (i64) using BigInt from JavaScript (bug 1608770).
  • TLS 1.0 and 1.1 removal:
  • Support for the Transport Layer Security (TLS) protocol’s version 1.0 and 1.1, is dropped from all browsers. Read TLS 1.0 and 1.1 Removal Update for the previous announcement and what actions to take if you are affected (bug 1643229).
  • Changes for add-on developers:
  • browsingData.removeCache and browsingData.removePluginData now support deleting by hostname. (bug 1636784).
  • When using proxy.onRequest, a filter that limits based on tab id or window id is now correctly applied. This could be useful for add-ons that want to provide proxy functionality just in just one window.
  • Clicking within the context menu from the "all tabs" dropdown now passed the appropriate tab object. In the past, the active tab was erroneously passed.
  • When using downloads.download with the saveAs option, the recently used directory is now remembered. While this information is not available to developers, it is very convenient to users.

New in Firefox ESR 78.8.0 (Feb 26, 2021)

  • Security fixes:
  • CVE-2021-23969: Content Security Policy violation report could have contained the destination of a redirect
  • CVE-2021-23968: Content Security Policy violation report could have contained the destination of a redirect
  • CVE-2021-23973: MediaError message property could have leaked information about cross-origin resources
  • CVE-2021-23978: Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8

New in Firefox ESR 78.7.0 (Feb 5, 2021)

  • Security Vulnerabilities:
  • CVE-2021-23953: Cross-origin information leakage via redirected PDF requests
  • CVE-2021-23954: Type confusion when using logical assignment operators in JavaScript switch statements
  • CVE-2020-26976: HTTPS pages could have been intercepted by a registered service worker when they should not have been
  • CVE-2021-23960: Use-after-poison for incorrectly redeclared JavaScript variables during GC
  • CVE-2021-23964: Memory safety bugs fixed in Firefox 85 and Firefox ESR 78.7

New in Firefox ESR 78.3.1 (Oct 5, 2020)

  • Fixed legacy preferences not being properly applied when set via GPO (bug 1666836).

New in Firefox ESR 78.3.0 (Sep 30, 2020)

  • Various stability, functionality, and security fixes:
  • CVE-2020-15677: Download origin spoofing via redirect
  • CVE-2020-15676: XSS when pasting attacker-controlled data into a contenteditable element
  • CVE-2020-15678: When recursing through layers while scrolling, an iterator may have become invalid, resulting in a potential use-after-free scenario
  • CVE-2020-15673: Memory safety bugs fixed in Firefox 81 and Firefox ESR 78.3

New in Firefox ESR 78.2.0 (Aug 24, 2020)

  • Various stability, functionality, and security fixes

New in Firefox ESR 78.1.0 (Aug 24, 2020)

  • Various stability, functionality, and security fixes

New in Firefox ESR 78.0.2 (Jul 9, 2020)

  • Security fix
  • Fixed an accessibility regression in reader mode (bug 1650922)
  • Made the address bar more resilient to data corruption in the user profile (bug 1649981)
  • Fixed a regression opening certain external applications (bug 1650162)

New in Firefox ESR 78.0.1 (Jul 8, 2020)

  • Fixed an issue which could cause installed search engines to not be visible when upgrading from a previous release.

New in Firefox ESR 68.9.0 (Jun 1, 2020)

  • New:
  • Enhanced Tracking Protection (ETP) rolls out stronger privacy protections:
  • The default standard setting for this feature now blocks third-party tracking cookies and cryptominers.
  • The optional strict setting blocks fingerprinters as well as the items blocked in the standard setting.
  • The Block Autoplay feature is enhanced to give users the option to block any video that automatically starts playing, not just those that automatically play with sound.
  • For our users in the US or using the en-US browser, we are shipping a new “New Tab” page experience that connects you to the best of Pocket’s content.
  • Support for the Web Authentication HmacSecret extension via Windows Hello now comes with this release, for versions of Windows 10 May 2019 or newer, enabling more passwordless experiences on the web.
  • Support for receiving multiple video codecs with this release makes it easier for WebRTC conferencing services to mix video from different clients.
  • For our users on Windows 10, you’ll see performance and UI improvements:
  • Firefox will give Windows hints to appropriately set content process priority levels, meaning more processor time spent on the tasks you're actively working on, and less processor time spent on things in the background (with the exception of video and audio playback).
  • For our existing Windows 10 users, you can easily find and launch Firefox from a shortcut on the Win10 taskbar.
  • For our users on macOS, battery life and download UI are both improved:
  • macOS users on dual-graphics-card machines (like MacBook Pro) will switch back to the low-power GPU more aggressively, saving battery life.
  • Finder on macOS now displays download progress for files being downloaded.
  • JIT support comes to ARM64 for improved performance of our JavaScript Optimizing JIT compiler.
  • Fixed:
  • Various security fixes
  • Changed:
  • As previously announced in the Plugin Roadmap for Firefox, the "Always Activate" option for Flash plugin content has been removed. Firefox will now always ask for user permission before activating Flash content on a website.
  • With the deprecation of Adobe Flash Player, there is no longer a need to identify users on 32-bit version of the Firefox browser on 64-bit version operating systems reducing user agent fingerprinting factors providing greater level of privacy to our users as well as improving the experience of downloading other apps.
  • Firefox no longer loads userChrome.css or userContent.css by default improving start-up performance. Users who wish to customize Firefox by using these files can set the toolkit.legacyUserProfileCustomizations.stylesheets preference to true to restore this ability.

New in Firefox ESR 68.4.1 (Jan 9, 2020)

  • Security Vulnerabilities fixed in Firefox 72.0.1 and Firefox ESR 68.4.1:
  • Announced January 8, 2020
  • Impact, critical
  • Products
  • Firefox, Firefox ESR
  • CVE-2019-17026, IonMonkey type confusion with StoreElementHole and FallibleStoreElement:
  • Impact, critical
  • Description - Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion. We are aware of targeted attacks in the wild abusing this flaw.

New in Firefox ESR 68.3.0 (Dec 4, 2019)

  • Updates to improve performance and stability (full list of fixes)
  • Various security fixes

New in Firefox ESR 68.2.0 (Oct 23, 2019)

  • Various security fixes:
  • CVE-2019-15903: Heap overflow in expat library in XML_GetCurrentLineNumber
  • CVE-2019-11757: Use-after-free when creating index updates in IndexedDB
  • CVE-2019-11758: Potentially exploitable crash due to 360 Total Security
  • CVE-2019-11759: Stack buffer overflow in HKDF output
  • CVE-2019-11760: Stack buffer overflow in WebRTC networking
  • CVE-2019-11761: Unintended access to a privileged JSONView object
  • CVE-2019-11762: document.domain-based origin isolation has same-origin-property violation
  • CVE-2019-11763: Incorrect HTML parsing results in XSS bypass technique
  • CVE-2019-11764: Memory safety bugs fixed in Firefox 70 and Firefox ESR 68.2
  • Enterprise:
  • New administrative policies were added. More information and templates are available at the Policy Templates page.

New in Firefox ESR 68.1.0 (Oct 17, 2019)

  • Fixed:
  • Various security fixes
  • Various stability and functionality fixes
  • Changed:
  • Re-enabled XMLDocument.async and XMLDocument.load to maintain better legacy compatibility

New in Firefox ESR 68.0.2 (Aug 26, 2019)

  • Fixed:
  • Fixed a bug causing some special characters to be cut off from the end of the search terms when searching from the URL bar (bug 1560228)
  • Allow fonts to be loaded via file:// URLs when opening a page locally (bug 1565942)
  • Printing emails from the Outlook web app no longer prints only the header and footer (bug 1567105)
  • Fixed a bug causing some images not to be displayed on reload, including on Google Maps (bug 1565542)
  • Fixed an error when starting external applications configured as URI handlers (bug 1567614)
  • Security fixes

New in Firefox ESR 68.0 (Aug 26, 2019)

  • New:
  • Dark mode in reader view expands so that windows are also dark on the controls, sidebars and toolbars.
  • Improved extension security and discovery:
  • New reporting feature in about:addons allows you to report security and performance issues with extensions and themes.
  • Redesigned extensions dashboard in about:addons provides easy access to information about your extensions, including data and settings access required by each extension.
  • Find high quality, secure extensions via the Recommended Extensions program in about:addons, which now displays user count and ratings for each extension. "Recommended” badges for these extensions also appear on AMO. More extensions will be added over time.
  • Cryptomining and fingerprinting protections are added to strict content blocking settings in Privacy & Security preferences
  • WebRender will roll out to Windows 10 users with AMD graphics cards
  • Windows Background Intelligent Transfer Service (BITS) update download support, which allows Firefox update downloads to continue when Firefox is closed
  • Fixed:
  • Various security fixes
  • Local files can no longer access other files in the same directory.
  • Changed:
  • Unified existing locales (bn-BD, bn-IN) under a single Bengali (bn) localization.
  • The following unmaintained translations have been removed: Assamese (as), English - South Africa (en-ZA), Maithili (mai), Malayalam (ml), Odia (or). Existing users will be migrated to the British English (en-GB) version.
  • When an HTTPS error caused by antivirus software is detected, Firefox will attempt to automatically fix it
  • Camera and microphone access now require an HTTPS connection.
  • The way non-default preferences are synced has changed. Please see this support article for more details
  • Enterprise:
  • For all operating systems, we have a number of additional policies including:
  • New tab page configuration and disabling
  • Local file links
  • Download behavior
  • Search suggestions
  • Managed storage for using policies in Webextensions
  • Extension whitelisting and blacklisting by ID and website
  • A subset of commonly used Firefox preferences
  • Developer:
  • Firefox Developer Tools now offers a full page color contrast audit that identifies all elements on a page that fail color contrast checks.
  • Added about:compat, where website-specific workarounds are listed and may be toggled. These workarounds are meant as temporary fixes for various forms of website breakage for Firefox, while the website fixes them in due time. With about:compat, it is now easy to see all of the workarounds that are active in Firefox, and easy for website developers to disable a given workaround for testing purposes.
  • Introduces CSS Scroll Snap module that enforces scroll snap positions.
  • Unresolved:
  • The new URL bar implementation does not handle javascript: bookmarklets triggered via bookmark keywords correctly yet (bug 1552141)
  • Windows administrator users with UAC turned off may no longer be able to drag content out of Firefox. See this support article to learn more

New in Firefox ESR 60.8.0 (Jul 10, 2019)

  • Various security fixes

New in Firefox ESR 60.7.1 (Jun 19, 2019)

  • Security vulnerabilities fixed in Firefox 67.0.3 and Firefox ESR 60.7.1

New in Firefox ESR 60.6.3 (May 8, 2019)

  • Further improvements to re-enable web extensions which had been disabled for users with a master password set (Bug 1549249).

New in Firefox ESR 60.6.2 (May 6, 2019)

  • Repaired certificate chain to re-enable web extensions that had been disabled

New in Firefox ESR 60.5.2 (Feb 22, 2019)

  • Fixed a frequent crash when reading various Reuters news articles (bug 1505844)

New in Firefox ESR 60.5.1 (Feb 12, 2019)

  • Various security fixes

New in Firefox ESR 60.3.0 (Oct 24, 2018)

  • CVE-2018-12391: HTTP Live Stream audio data is accessible cross-origin
  • CVE-2018-12392: Crash with nested event loops
  • CVE-2018-12393: Integer overflow during Unicode conversion while loading JavaScript
  • CVE-2018-12395: WebExtension bypass of domain restrictions through header rewriting
  • CVE-2018-12396: WebExtension content scripts can execute in disallowed contexts
  • CVE-2018-12397:
  • A WebExtension can request access to local files without the warning prompt stating
  • that the extension will "Access your data for all websites" being displayed to the
  • user. This allows extensions to run content scripts in local pages without permission
  • warnings when a local file is opened.
  • CVE-2018-12389: Memory safety bugs fixed in Firefox ESR 60.3

New in Firefox ESR 60.0.2 (Jun 7, 2018)

  • CVE-2018-6126: Heap buffer overflow rasterizing paths in SVG with Skia:
  • A heap buffer overflow can occur in the Skia library when rasterizing paths using a maliciously crafted SVG file with anti-aliasing turned off. This results in a potentially exploitable crash.

New in Firefox ESR 52.7.4 (May 5, 2018)

  • Fix for compatibility with Windows 10 April 2018 update (Bug 1452619)

New in Firefox ESR 52.6.0 (Feb 21, 2018)

  • Various stability and regression fixes
  • Security fixes:
  • Security vulnerabilities fixed in Firefox ESR 52.6
  • Speculative execution side-channel attack ("Spectre")

New in Firefox ESR 52.5.3 (Jan 18, 2018)

  • Fix a crash reporting issue that inadvertently sends background tab crash reports to Mozilla without user opt-in (bug 1427111)

New in Firefox ESR 52.5.0 (Dec 28, 2017)

  • Various security fixes
  • Various stability and regression fixes

New in Firefox ESR 52.4.0 (Oct 5, 2017)

  • Fixed:
  • Various security fixes
  • Various stability and regression fixes

New in Firefox ESR 52.3.0 (Aug 9, 2017)

  • Fixed:
  • Various stability and regression fixes
  • Various security fixes

New in Firefox ESR 52.2.1 (Jul 6, 2017)

  • Printing text does not work on Windows when Direct2D is disabled (Bug 1318845)

New in Firefox ESR 52.2.0 (Jun 14, 2017)

  • Fixed:
  • Various security fixes
  • Changed:
  • Improved file type recognition on Windows