Softpedia >Windows >Portable Software >Internet >Browsers >Portable Firefox ESR >  Changelog

Portable Firefox ESR Changelog

What's new in Portable Firefox ESR 115.10.0

Apr 17, 2024
  • Various security fixes and other quality improvements:
  • CVE-2024-3852: GetBoundName in the JIT returned the wrong object
  • CVE-2024-3854: Out-of-bounds-read after mis-optimized switch statement
  • CVE-2024-3857: Incorrect JITting of arguments led to use-after-free during garbage collection
  • CVE-2024-2609: Permission prompt input delay could expire when not in focus
  • CVE-2024-3859: Integer-overflow led to out-of-bounds-read in the OpenType sanitizer
  • CVE-2024-3861: Potential use-after-free due to AlignedBuffer self-move
  • CVE-2024-3863: Download Protections were bypassed by .xrm-ms files on Windows
  • CVE-2024-3302: Denial of Service using HTTP/2 CONTINUATION frames
  • CVE-2024-3864: Memory safety bug fixed in Firefox 125, Firefox ESR 115.10, and Thunderbird 115.10

New in Portable Firefox ESR 115.9.0 (Mar 20, 2024)

  • Various security fixes and other quality improvements:
  • CVE-2024-0743: Crash in NSS TLS method
  • CVE-2024-2605: Windows Error Reporter could be used as a Sandbox escape vector
  • CVE-2024-2607: JIT code failed to save return registers on Armv7-A
  • CVE-2024-2608: Integer overflow could have led to out of bounds write
  • CVE-2024-2616: Improve handling of out-of-memory conditions in ICU
  • CVE-2023-5388: NSS susceptible to timing attack against RSA decryption
  • CVE-2024-2610: Improper handling of html and body tags enabled CSP nonce leakage
  • CVE-2024-2611: Clickjacking vulnerability could have led to a user accidentally granting permissions
  • CVE-2024-2612: Self referencing object could have potentially led to a use-after-free
  • CVE-2024-2614: Memory safety bugs fixed in Firefox 124, Firefox ESR 115.9, and Thunderbird 115.9
  • Developer:
  • HTML:
  • The modulepreload keyword for the rel attribute of the <link> element is now supported. This allows early (and asynchronous) fetching of module scripts and their dependencies in parallel, which are then stored in the document's module map (Firefox bug 1425310).
  • CSS:
  • The CSS animation-composition property is now supported by default. You can use this property to specify the composite operation to use when multiple animations affect the same property simultaneously. (Firefox bug 1823862).
  • The supports-conditions in the CSS @import at-rule supports() function is now supported by default. This feature allows stylesheets to be imported only if the specified feature is supported in the user's browser. (Firefox bug 1830779).
  • JavaScript:
  • The Array.fromAsync() static method is now supported. The method asynchronously returns a new, shallow-copied Array instance from an async iterable, iterable, or array-like object (Firefox bug 1795816).
  • The Array and TypedArray methods Array.toReversed(), Array.toSorted(), Array.toSpliced(), Array.with(), TypedArrays.toReversed(), TypedArrays.toSorted(), and TypedArrays.with() are now supported. These methods return a new array with elements that have been shallow copied (similarly named methods without the to prefix modify the array elements in place). (Firefox bug 1811057).
  • HTTP:
  • The Sec-Purpose HTTP fetch metadata request header is now included in requests to Prefetch resources. This allows servers to provide any special handling that might be needed, such as adjusting the caching expiry for the request (Firefox bug 1836328).
  • APIs:
  • The Response.json() static method is now supported, making it easier to construct Response objects for returning JSON data. The method will be useful for service workers and any other code that needs to respond to browser requests with JSON data (Firefox bug 1758943).
  • The URL.canParse() static method can now be used to parse and validate an absolute URL, or a relative URL and base URL. This provides a fast and easy way to check if URLs are valid, instead of constructing them within a try...catch block and handling exceptions. (Firefox bug 1823354).
  • The URLSearchParams.has() and URLSearchParams.delete() methods now support the optional value argument. This allows matching a search parameter on both the name and value, making it possible to work with query strings that contain multiple search parameters that have the same name. (Firefox bug 1831587).
  • Removals:
  • The deprecated mozPreservesPitch alias of HTMLMediaElement.preservesPitch has been disabled by default, and may be fully removed in a future release (Firefox bug 1831205).
  • WebDriver conformance (WebDriver BiDi, Marionette):
  • WebDriver BiDi:
  • The payload now always includes stack traces for responses and events without capping it after the first 50 "throw" usages in a realm (Firefox bug 1791715).
  • When using input.performActions, any ongoing wheel transaction is now reset at the end of the command to not retain state and to not leak into following actions within the same tab (Firefox bug 1821733).
  • When using a pointerMove action with input.performActions, an invalid element origin now correctly raises a "no such error" failure (Firefox bug 1832028).
  • A race condition for the initial page load has been fixed that could appear when directly interacting with a newly opened tab or window (Firefox bug 1832891).
  • Marionette:
  • Both the commands WebDriver:GetComputedLabel and WebDriver:GetComputedRole now correctly wait for the requested accessibility object for an element to exist if it just got inserted into the DOM (Firefox bug 1828816).
  • All instances of window.setTimeout() in our privileged code running in content processes now use a variant timer that is not affected by the throttling of the timers in case the given tab for automation is in the background.
  • Changes for add-on developers:
  • To support its deprecation from Manifest V3 extensions, manifest key property browser_style defaults to false in options_ui and sidebar_action for Manifest V3 extensions (Firefox bug 1830710). See Manifest v3 migration for information about transitioning from browser_style in Manifest V3 extensions.
  • The commands.onChanged event, which enables web extensions to listen for changes to command shortcuts, has been added (Firefox bug 1801531).
  • Support has been added for storage.session, which provides the ability to store data in memory for the duration of the browser session (Firefox bug 18237131).

New in Portable Firefox ESR 115.8.0 (Feb 21, 2024)

  • Various security fixes and other quality improvements:
  • CVE-2024-1546: Out-of-bounds memory read in networking channels
  • CVE-2024-1547: Alert dialog could have been spoofed on another site
  • CVE-2024-1548: Fullscreen Notification could have been hidden by select element
  • CVE-2024-1549: Custom cursor could obscure the permission dialog
  • CVE-2024-1550: Mouse cursor re-positioned unexpectedly could have led to unintended permission grants
  • CVE-2024-1551: Multipart HTTP Responses would accept the Set-Cookie header in response parts
  • CVE-2024-1552: Incorrect code generation on 32-bit ARM devices
  • CVE-2024-1553: Memory safety bugs fixed in Firefox 123, Firefox ESR 115.8, and Thunderbird 115.8

New in Portable Firefox ESR 115.7.0 (Jan 24, 2024)

  • Various security fixes and other quality improvements.

New in Portable Firefox ESR 115.6.0 (Dec 22, 2023)

  • Various security fixes and other quality improvements.

New in Portable Firefox ESR 115.3.1 (Oct 2, 2023)

  • Security fix.

New in Portable Firefox ESR 115.3.0 (Sep 28, 2023)

  • Various security fixes and other quality improvements:
  • CVE-2023-5168: Out-of-bounds write in FilterNodeD2D1
  • CVE-2023-5169: Out-of-bounds write in PathOps
  • CVE-2023-5171: Use-after-free in Ion Compiler
  • CVE-2023-5174: Double-free in process spawning on WindowsCVE-2023-5176: Memory safety bugs fixed in Firefox 118, Firefox ESR 115.3, and Thunderbird 115.3

New in Portable Firefox ESR 115.2.1 (Sep 14, 2023)

  • Security fix: #CVE-2023-4863: Heap buffer overflow in libwebp

New in Portable Firefox ESR 115.2.0 (Aug 31, 2023)

  • Various security fixes and other quality improvements:
  • CVE-2023-4573: Memory corruption in IPC CanvasTranslator
  • CVE-2023-4574: Memory corruption in IPC ColorPickerShownCallback
  • CVE-2023-4575: Memory corruption in IPC FilePickerShownCallback
  • CVE-2023-4576: Integer Overflow in RecordedSourceSurfaceCreation
  • CVE-2023-4577: Memory corruption in JIT UpdateRegExpStatics
  • CVE-2023-4051: Full screen notification obscured by file open dialog
  • CVE-2023-4578: Error reporting methods in SpiderMonkey could have triggered an Out of Memory Exception
  • CVE-2023-4053: Full screen notification obscured by external program
  • CVE-2023-4580: Push notifications saved to disk unencrypted
  • CVE-2023-4581: XLL file extensions were downloadable without warnings
  • CVE-2023-4582: Buffer Overflow in WebGL glGetProgramiv
  • CVE-2023-4583: Browsing Context potentially not cleared when closing Private Window
  • CVE-2023-4584: Memory safety bugs fixed in Firefox 117, Firefox ESR 102.15, Firefox ESR 115.2, Thunderbird 102.15, and Thunderbird 115.2
  • CVE-2023-4585: Memory safety bugs fixed in Firefox 117, Firefox ESR 115.2, and Thunderbird 115.2
  • Changes for web developers:
  • HTML:
  • The modulepreload keyword for the rel attribute of the <link> element is now supported. This allows early (and asynchronous) fetching of module scripts and their dependencies in parallel, which are then stored in the document's module map (Firefox bug 1425310).
  • CSS:
  • The CSS animation-composition property is now supported by default. You can use this property to specify the composite operation to use when multiple animations affect the same property simultaneously. (Firefox bug 1823862).
  • The supports-conditions in the CSS @import at-rule supports() function is now supported by default. This feature allows stylesheets to be imported only if the specified feature is supported in the user's browser. (Firefox bug 1830779).
  • JavaScript:
  • The Array.fromAsync() static method is now supported. The method asynchronously returns a new, shallow-copied Array instance from an async iterable, iterable, or array-like object (Firefox bug 1795816).
  • The Array and TypedArray methods Array.toReversed(), Array.toSorted(), Array.toSpliced(), Array.with(), TypedArrays.toReversed(), TypedArrays.toSorted(), and TypedArrays.with() are now supported. These methods return a new array with elements that have been shallow copied (similarly named methods without the to prefix modify the array elements in place). (Firefox bug 1811057).
  • SVG:
  • No notable changes.
  • HTTP:
  • The Sec-Purpose HTTP fetch metadata request header is now included in requests to Prefetch resources. This allows servers to provide any special handling that might be needed, such as adjusting the caching expiry for the request (Firefox bug 1836328).
  • APIs:
  • The Response.json() static method is now supported, making it easier to construct Response objects for returning JSON data. The method will be useful for service workers and any other code that needs to respond to browser requests with JSON data (Firefox bug 1758943).
  • The URL.canParse() static method can now be used to parse and validate an absolute URL, or a relative URL and base URL. This provides a fast and easy way to check if URLs are valid, instead of constructing them within a try...catch block and handling exceptions. (Firefox bug 1823354).
  • The URLSearchParams.has() and URLSearchParams.delete() methods now support the optional value argument. This allows matching a search parameter on both the name and value, making it possible to work with query strings that contain multiple search parameters that have the same name. (Firefox bug 1831587).
  • Removals:
  • The deprecated mozPreservesPitch alias of HTMLMediaElement.preservesPitch has been disabled by default, and may be fully removed in a future release (Firefox bug 1831205).
  • WebDriver conformance (WebDriver BiDi, Marionette):
  • WebDriver BiDi:
  • The payload now always includes stack traces for responses and events without capping it after the first 50 "throw" usages in a realm (Firefox bug 1791715).
  • When using input.performActions, any ongoing wheel transaction is now reset at the end of the command to not retain state and to not leak into following actions within the same tab (Firefox bug 1821733).
  • When using a pointerMove action with input.performActions, an invalid element origin now correctly raises a "no such error" failure (Firefox bug 1832028).
  • A race condition for the initial page load has been fixed that could appear when directly interacting with a newly opened tab or window (Firefox bug 1832891).
  • Marionette:
  • Both the commands WebDriver:GetComputedLabel and WebDriver:GetComputedRole now correctly wait for the requested accessibility object for an element to exist if it just got inserted into the DOM (Firefox bug 1828816).
  • All instances of window.setTimeout() in our privileged code running in content processes now use a variant timer that is not affected by the throttling of the timers in case the given tab for automation is in the background.
  • Changes for add-on developers:
  • To support its deprecation from Manifest V3 extensions, manifest key property browser_style defaults to false in options_ui and sidebar_action for Manifest V3 extensions (Firefox bug 1830710). See Manifest v3 migration for information about transitioning from browser_style in Manifest V3 extensions.
  • The commands.onChanged event, which enables web extensions to listen for changes to command shortcuts, has been added (Firefox bug 1801531).
  • Support has been added for storage.session, which provides the ability to store data in memory for the duration of the browser session (Firefox bug 18237131).

New in Portable Firefox ESR 102.13.0 (Jul 5, 2023)

  • Various security fixes and other quality improvements:
  • CVE-2023-37201: Use-after-free in WebRTC certificate generation
  • CVE-2023-37202: Potential use-after-free from compartment mismatch in SpiderMonkey
  • CVE-2023-37207: Fullscreen notification obscured
  • CVE-2023-37208: Lack of warning when opening Diagcab files
  • CVE-2023-37211: Memory safety bugs fixed in Firefox 115, Firefox ESR 102.13, and Thunderbird 102.13

New in Portable Firefox ESR 102.12.0 (Jun 8, 2023)

  • Various security fixes and other quality improvements:
  • CVE-2023-34414: Click-jacking certificate exceptions through rendering lag
  • CVE-2023-34416: Memory safety bugs fixed in Firefox 114 and Firefox ESR 102.12

New in Portable Firefox ESR 102.11.0 (May 10, 2023)

  • Various security fixes and other quality improvements:
  • CVE-2023-32205: Browser prompts could have been obscured by popups
  • CVE-2023-32206: Crash in RLBox Expat driver
  • CVE-2023-32207: Potential permissions request bypass via clickjacking
  • CVE-2023-32211: Content process crash due to invalid wasm code
  • CVE-2023-32212: Potential spoof due to obscured address bar
  • CVE-2023-32213: Potential memory corruption in FileReader::DoReadData()
  • CVE-2023-32214: Potential DoS via exposed protocol handlers
  • CVE-2023-32215: Memory safety bugs fixed in Firefox 113 and Firefox ESR 102.11

New in Portable Firefox ESR 102.10.0 (Apr 11, 2023)

  • Various security fixes.

New in Portable Firefox ESR 102.9.0 (Mar 21, 2023)

  • Various security fixes.

New in Portable Firefox ESR 102.8.0 (Feb 15, 2023)

  • Various security fixes.

New in Portable Firefox ESR 102.7.0 (Jan 19, 2023)

  • Various stability, functionality, and security fixes:
  • CVE-2022-46871: libusrsctp library out of date
  • CVE-2023-23599: Malicious command could be hidden in devtools output on Windows
  • CVE-2023-23601: URL being dragged from cross-origin iframe into same tab triggers navigation
  • CVE-2023-23602: Content Security Policy wasn't being correctly applied to WebSockets in WebWorkers
  • CVE-2022-46877: Fullscreen notification bypass
  • CVE-2023-23603: Calls to <code>console.log</code> allowed bypasing Content Security Policy via format directive
  • CVE-2023-23605: Memory safety bugs fixed in Firefox 109 and Firefox ESR 102.7

New in Portable Firefox ESR 102.6.0 (Dec 14, 2022)

  • Various stability, functionality, and security fixes:
  • CVE-2022-46880: Use-after-free in WebGL
  • CVE-2022-46872: Arbitrary file read from a compromised content process
  • CVE-2022-46881: Memory corruption in WebGL
  • CVE-2022-46874: Drag and Dropped Filenames could have been truncated to malicious extensions
  • CVE-2022-46882: Use-after-free in WebGL
  • CVE-2022-46878: Memory safety bugs fixed in Firefox 108 and Firefox ESR 102.6

New in Portable Firefox ESR 102.5.0 (Nov 17, 2022)

  • Various stability, functionality, and security fixes.

New in Portable Firefox ESR 102.4.0 (Oct 19, 2022)

  • Various stability, functionality, and security fixes:
  • CVE-2022-42927: Same-origin policy violation could have leaked cross-origin URLs
  • CVE-2022-42928: Memory Corruption in JS Engine
  • CVE-2022-42929: Denial of Service via window.print
  • CVE-2022-42932: Memory safety bugs fixed in Firefox 106 and Firefox ESR 102.4

New in Portable Firefox ESR 102.2.0 (Aug 24, 2022)

  • Various stability, functionality, and security fixes.
  • Changes for web developers:
  • CSS:
  • The update media feature that can be used to query the ability of the output device to modify the appearance of content after it is rendered is now available by default (bug 1422312).
  • APIs:
  • The Non-standard interfaces IDBMutableFile, IDBFileHandle, IDBFileRequest, and the method IDBDatabase.createMutableFile() have been disabled by default in preparation for removal in a future release (bug 1764771).
  • Transform streams are now supported, allowing you to pipe from ReadableStream to a WritableStream, executing a transformation on the chunks. The update includes the new interfaces TransformStream and TransformStreamDefaultController and the method ReadableStream.pipeThrough() (bug 1767507).
  • Readable byte streams are now supported, allowing efficient zero-byte transfer of data from an underlying byte source to a consumer (bypassing the stream's internal queues). The new interfaces are ReadableStreamBYOBReader, ReadableByteStreamController and ReadableStreamBYOBRequest (bug 1767342).
  • DOM:
  • The Firefox-only property Window.sidebar has been moved behind a preference and is planned for removal (bug 1768486).
  • WebDriver conformance:
  • WebDriver BiDi:
  • There are some improvements to Webdriver BiDi's browsingContext.navigate
  • Fixed edge cases where the navigation could incorrectly timeout (bug 1766217).
  • Added support for hash changes (bug 1763127).
  • Added support navigation to error pages (bug 1763124).
  • Marionette:
  • Allow marionette to connect to a windowless instance of Firefox (bug 1726465).
  • Fixed issue where WebDriver:Navigate with a PageLoadStrategy of "none" returns before navigation has started (bug 1754132).
  • Fixed a potential race condition in WebDriver:SwitchToWindow when switching to a different tab (bug 1749666).
  • Changes for add-on developers:
  • The scripting API, which provides features to execute script, insert and remove CSS, and manage the registration of content scripts is now available to Manifest V2 extensions (bug 1766615).
  • With the introduction of support for the 'wasm-unsafe-eval' CSP keyword in Firefox (bug 1740263), Manifest V3 extensions are now required to specify this keyword in the content_security_policy manifest key to use WebAssembly. For backwards-compatibility, Manifest V2 extensions can still use WebAssembly without the keyword (bug 1766027).
  • The nonPersistentCookies option of the privacy.websites cookieConfig property has been deprecated (bug 1754924).

New in Portable Firefox ESR 102.1.0 (Jul 27, 2022)

  • Fixed:
  • Fixed bookmark shortcut creation by dragging to Windows File Explorer and dropping partially broken (bug 1774683)
  • Fixed bookmarks sidebar flashing white when opened in dark mode (bug 1776157)
  • Fixed multilingual spell checking not working with content in both English and a non-Latin alphabet (bug 1773802)
  • Developer tools: Fixed an issue where the console output keep getting scrolled to the bottom when the last visible message is an evaluation result (bug 1776262)
  • Fixed Delete cookies and site data when Firefox is closed checkbox getting disabled on startup (bug 1777419)
  • Various stability fixes

New in Portable Firefox ESR 91.11.0 (Jun 29, 2022)

  • Various stability, functionality, and security fixes.

New in Portable Firefox ESR 91.10.0 (Jun 1, 2022)

  • Various stability, functionality, and security fixes:
  • CVE-2022-31736: Cross-Origin resource's length leaked
  • CVE-2022-31737: Heap buffer overflow in WebGL
  • CVE-2022-31738: Browser window spoof using fullscreen mode
  • CVE-2022-31739: Attacker-influenced path traversal when saving downloaded files
  • CVE-2022-31740: Register allocation problem in WASM on arm64
  • CVE-2022-31741: Uninitialized variable leads to invalid memory read
  • CVE-2022-31742: Querying a WebAuthn token with a large number of allowCredential entries may have leaked cross-origin information
  • CVE-2022-31747: Memory safety bugs fixed in Firefox 101 and Firefox ESR 91.10

New in Portable Firefox ESR 91.9.1 (May 24, 2022)

  • Security fixes

New in Portable Firefox ESR 91.9.0 (May 6, 2022)

  • Various stability, functionality, and security fixes.

New in Portable Firefox ESR 91.8.0 (Apr 6, 2022)

  • Various stability, functionality, and security fixes

New in Portable Firefox ESR 91.7.0 (Mar 9, 2022)

  • Various stability, functionality, and security fixes:
  • CVE-2022-26383: Browser window spoof using fullscreen mode
  • CVE-2022-26384: iframe allow-scripts sandbox bypass
  • CVE-2022-26387: Time-of-check time-of-use bug when verifying add-on signatures
  • CVE-2022-26381: Use-after-free in text reflows
  • CVE-2022-26386: Temporary files downloaded to /tmp and accessible by other local users

New in Portable Firefox ESR 91.6.1 (Mar 7, 2022)

  • Security fixes:
  • CVE-2022-26485: Use-after-free in XSLT parameter processing
  • CVE-2022-26486: Use-after-free in WebGPU IPC Framework

New in Portable Firefox ESR 91.3.0 (Nov 2, 2021)

  • Security Vulnerabilities fixed in Firefox ESR 91.3:Through a series of navigations, Firefox could have entered fullscreen mode without notification or warning to the user. This could lead to spoofing attacks on the browser UI including phishing.
  • The Opportunistic Encryption feature of HTTP2 (RFC 8164) allows a connection to be transparently upgraded to TLS while retaining the visual properties of an HTTP connection, including being same-origin with unencrypted connections on port 80. However, if a second encrypted port on the same IP address (e.g. port 8443) did not opt-in to opportunistic encryption; a network attacker could forward a connection from the browser to port 443 to port 8443, causing the browser to treat the content of port 8443 as same-origin with HTTP. This was resolved by disabling the Opportunistic Encryption feature, which had low usage.
  • The iframe sandbox rules were not correctly applied to XSLT stylesheets, allowing an iframe to bypass restrictions such as executing scripts or navigating the top-level frame.
  • When interacting with an HTML input element's file picker dialog with webkitdirectory set, a use-after-free could have resulted, leading to memory corruption and a potentially exploitable crash.
  • Microsoft introduced a new feature in Windows 10 known as Cloud Clipboard which, if enabled, will record data copied to the clipboard to the cloud, and make it available on other computers in certain scenarios. Applications that wish to prevent copied data from being recorded in Cloud History must use specific clipboard formats; and Firefox before versions 94 and ESR 91.3 did not implement them. This could have caused sensitive data to be recorded to a user's Microsoft account.
  • This bug only affects Firefox for Windows 10+ with Cloud Clipboard enabled. Other operating systems are unaffected.
  • A use-after-free could have occured when an HTTP2 session object was released on a different thread, leading to memory corruption and a potentially exploitable crash.
  • Note: This issue is pending a CVE assignment and will be updated when available.
  • By displaying a form validity message in the correct location at the same time as a permission prompt (such as for geolocation), the validity message could have obscured the prompt, resulting in the user potentially being tricked into granting the permission.
  • Due to an unusual sequence of attacker-controlled events, a Javascript alert() dialog with arbitrary (although unstyled) contents could be displayed over top an uncontrolled webpage of the attacker's choosing.
  • The executable file warning was not presented when downloading .inetloc files, which, due to a flaw in Mac OS, can run commands on a user's computer.
  • Mozilla developers and community members Christian Holler, Valentin Gosu, and Andrew McCreight reported memory safety bugs present in Firefox 93 and Firefox ESR 91.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

New in Portable Firefox ESR 91.2.0 (Oct 7, 2021)

  • Fixed:
  • Various stability, functionality, and security fixes

New in Portable Firefox ESR 91.1.0 (Sep 10, 2021)

  • Various stability, functionality, and security fixes:
  • CVE-2021-38492: Navigating to `mk:` URL scheme could load Internet Explorer
  • CVE-2021-38495: Memory safety bugs fixed in Firefox 92 and Firefox ESR 91.1
  • Changes for web developers:
  • CSS:
  • A fix to how the @counter-style/pad descriptor handles the negative sign (bug 1714445).
  • The -moz-tab-size property has been unprefixed to the standard tab-size, and the prefixed version maintained as an alias (bug 737785).
  • Removals:
  • The non-standard -moz-outline-radius property has been removed (bug 1715984). The property has not been usable by web developers since Firefox 88, this completes the removal.
  • JavaScript:
  • Intl.DateTimeFormat.prototype.formatRange() and Intl.DateTimeFormat.prototype.formatRangeToParts() are now supported in release builds. The formatRange() method returns a localized and formatted string for the range between two Date objects (e.g. "1/05/21 – 1/10/21"). The formatRangeToParts() method returns an array containing the locale-specific parts of a formatted date range (bug 1653024).
  • The Intl.DateTimeFormat() constructor allows four new timeZoneName options for formatting how the timezone is displayed. These include the localized GMT formats shortOffset and longOffset, and the generic non-location formats shortGeneric and longGeneric (bug 1653024).
  • The Error() constructor can now take the error cause as value in the option parameter. This allows code to catch errors and throw new/modifed versions that retain the original error and stack trace (bug 1679653).
  • HTTP:
  • The Gamepad API now requires a secure context (bug 1704005).
  • APIs:
  • DOM:
  • The Visual Viewport API is now enabled by default on Firefox desktop releases (it has been enabled on Firefox for Android since version 68). The API provides access to information describing the position of the visual viewport relative to the document, as well as to the window's content area. It also provides events that allow changes to the viewport to be monitored. (bug 1551302).
  • The Gamepad API is now protected by Feature-Policy: gamepad. If disallowed by the feature policy, calls to Navigator.getGamepads() will throw a SecurityError DOMException, and the gamepadconnected and gamepaddisconnected events will not fire. The default allowlist is *; this default will be updated to self in a future release, in order to match the specification. (bug 1704005).
  • Window.clientInformation has been added as an alias for Window.navigator, in order to match recent specification updates and improve compatibility with other major browsers (bug 1717072).
  • WebDriver conformance (Marionette):
  • Fixed a bug, which caused the commands WebDriver:AcceptAlert and WebDriver:DismissAlert to hang for user prompts as opened in a popup window (bug 1721982).
  • Fixed an inappropriate handling of the webSocketUrl capability, which would return true if webSocketUrl was not supported (bug 1713775).

New in Portable Firefox ESR 78.13.0 (Aug 13, 2021)

  • Various stability, functionality, and security fixes.

New in Portable Firefox ESR 78.12.0 (Jul 13, 2021)

  • Various stability, functionality, and security fixes

New in Portable Firefox ESR 78.11.0 (Jun 2, 2021)

  • Various stability, functionality, and security fixes:
  • CVE-2021-29964: Out of bounds-read when parsing a `WM_COPYDATA` message
  • CVE-2021-29967: Memory safety bugs fixed in Firefox 89 and Firefox ESR 78.11

New in Portable Firefox ESR 78.10.1 (May 5, 2021)

  • Fixed:
  • Resolved an issue caused by a recent Widevine plugin update which prevented some purchased video content from playing correctly (bug 1705138)
  • Security Vulnerabilities fixed in Firefox ESR 78.10.1:
  • CVE-2021-29951: Mozilla Maintenance Service could have been started or stopped by domain users

New in Portable Firefox ESR 78.10.0 (Apr 20, 2021)

  • Various stability, functionality, and security fixes:
  • CVE-2021-23994: Out of bound write due to lazy initialization
  • CVE-2021-23995: Use-after-free in Responsive Design Mode
  • CVE-2021-23998: Secure Lock icon could have been spoofed
  • CVE-2021-23961: More internal network hosts could have been probed by a malicious webpage
  • CVE-2021-23999: Blob URLs may have been granted additional privileges
  • CVE-2021-24002: Arbitrary FTP command execution on FTP servers using an encoded URL
  • CVE-2021-29945: Incorrect size computation in WebAssembly JIT could lead to null-reads
  • CVE-2021-29946: Port blocking could be bypassed
  • Changes for web developers:
  • Developer Tools:
  • Debugger:
  • You can now change the URL accessed by the remote device from the about:debugging panel. (bug 1617237)
  • The Disable JavaScript menu item in the Debugger now only affects the current tab, and is reset when the Developer Tools are closed. (bug 1640318)
  • Logpoints can map variable names in source-mapped code back to their original names, if you enable Maps in the Scopes pane. (bug 1536857)
  • Network Monitor:
  • In the Network Monitor, you can now resize the columns of the request list by dragging the column borders anywhere in the table. (bug 1618409)
  • The request details panel in the Network Monitor has some UX improvements. (bug 1631302, bug 1631295)
  • If a request was blocked, the request list now shows the reason, such as an add-on, CSP, CORS, or Enhanced Tracking Protection. (bug 1555057, bug 1445637, bug 1556451)
  • Other tools:
  • The Accessibility inspector is out of beta. You can use it to check for various accessibility issues on your site. (bug 1602075)
  • Uncaught promise errors now provide all details in the Console, including their name and stack. (bug 1636590)
  • CSS:
  • The :is() and :where() pseudo-classes are now enabled by default (bug 1632646).
  • The :read-only and :read-write pseudo-classes are now supported without prefixes (bug 312971).
  • In addition, :read-write styles are no longer applied to disabled <input> and <textarea> elements, which was a violation of the HTML spec (bug 888884).
  • JavaScript:
  • The Intl.ListFormat API is now supported (bug 1589095).
  • The Intl.NumberFormat() constructor has been extended to support new options specified in the Intl.NumberFormat Unified API Proposal (bug 1633836). This includes among other things:
  • Support for scientific notations
  • Unit, currency and sign display formatting
  • The RegExp engine has been updated and now supports all new features introduced in ECMAScript 2018:
  • Lookbehind assertions (bug 1225665)
  • RegExp.prototype.dotAll (bug 1361856)
  • Unicode property escapes (bug 1361876)
  • Named capture groups (bug 1362154)
  • Due to a WebIDL spec change in mid-2020, we've added a Symbol.toStringTag property to all DOM prototype objects (bug 1277799).
  • The garbage collection of WeakMap objects has been improved. WeakMaps are now marked incrementally (bug 1167452).
  • APIs:
  • DOM:
  • The ParentNode.replaceChildren() method has been implemented (bug 1626015).
  • Service workers:
  • Extended Support Releases (ESR): Firefox 78 is the first ESR release that supports Service workers (and the Push API). Earlier ESR releases had no support (bug 1547023).
  • WebAssembly:
  • Wasm Multi-value is now supported, meaning that WebAssembly functions can now return multiple values, and instruction sequences can consume and produce multiple stack values (bug 1628321).
  • WebAssembly now supports import and export of 64-bit integer function parameters (i64) using BigInt from JavaScript (bug 1608770).
  • TLS 1.0 and 1.1 removal:
  • Support for the Transport Layer Security (TLS) protocol’s version 1.0 and 1.1, is dropped from all browsers. Read TLS 1.0 and 1.1 Removal Update for the previous announcement and what actions to take if you are affected (bug 1643229).
  • Changes for add-on developers:
  • browsingData.removeCache and browsingData.removePluginData now support deleting by hostname. (bug 1636784).
  • When using proxy.onRequest, a filter that limits based on tab id or window id is now correctly applied. This could be useful for add-ons that want to provide proxy functionality just in just one window.
  • Clicking within the context menu from the "all tabs" dropdown now passed the appropriate tab object. In the past, the active tab was erroneously passed.
  • When using downloads.download with the saveAs option, the recently used directory is now remembered. While this information is not available to developers, it is very convenient to users.

New in Portable Firefox ESR 78.9.0 (Mar 24, 2021)

  • Fixed:
  • Various stability, functionality, and security fixes

New in Portable Firefox ESR 78.8.0 (Feb 26, 2021)

  • Security fixes:
  • CVE-2021-23969: Content Security Policy violation report could have contained the destination of a redirect
  • CVE-2021-23968: Content Security Policy violation report could have contained the destination of a redirect
  • CVE-2021-23973: MediaError message property could have leaked information about cross-origin resources
  • CVE-2021-23978: Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8

New in Portable Firefox ESR 78.7.1 (Feb 7, 2021)

  • Fixed:
  • Prevent access to NTFS special paths that could lead to filesystem corruption.

New in Portable Firefox ESR 78.7.0 (Jan 27, 2021)

  • Various stability, functionality, and security fixes:
  • CVE-2021-23953: Cross-origin information leakage via redirected PDF requests
  • CVE-2021-23954: Type confusion when using logical assignment operators in JavaScript switch statements
  • CVE-2020-26976: HTTPS pages could have been intercepted by a registered service worker when they should not have been
  • CVE-2021-23960: Use-after-poison for incorrectly redeclared JavaScript variables during GC
  • CVE-2021-23964: Memory safety bugs fixed in Firefox 85 and Firefox ESR 78.7

New in Portable Firefox ESR 78.6.1 (Jan 11, 2021)

  • Fixed a crash during video playback on Apple Silicon devices (bug 1683579).

New in Portable Firefox ESR 78.5.0 (Nov 20, 2020)

  • Fixes:
  • CVE-2020-26951: Parsing mismatches could confuse and bypass security sanitizer for chrome privileged code
  • CVE-2020-16012: Variable time processing of cross-origin images during drawImage calls
  • CVE-2020-26953: Fullscreen could be enabled without displaying the security UI
  • CVE-2020-26956: XSS through paste (manual and clipboard API)
  • CVE-2020-26958: Requests intercepted through ServiceWorkers lacked MIME type restrictions
  • CVE-2020-26959: Use-after-free in WebRequestService
  • CVE-2020-26960: Potential use-after-free in uses of nsTArray
  • CVE-2020-15999: Heap buffer overflow in freetype
  • CVE-2020-26961: DoH did not filter IPv4 mapped IP Addresses
  • CVE-2020-26965: Software keyboards may have remembered typed passwords
  • CVE-2020-26966: Single-word search queries were also broadcast to local network
  • CVE-2020-26968: Memory safety bugs fixed in Firefox 83 and Firefox ESR 78.5

New in Portable Firefox ESR 78.4.1 (Nov 11, 2020)

  • Security fix:
  • CVE-2020-26950: Write side effects in MCallGetProperty opcode not accounted for

New in Portable Firefox ESR 78.3.1 (Oct 5, 2020)

  • Fixed legacy preferences not being properly applied when set via GPO (bug 1666836).3

New in Portable Firefox ESR 78.3.0 (Oct 5, 2020)

  • Various stability, functionality, and security fixes:
  • CVE-2020-15677: Download origin spoofing via redirect
  • CVE-2020-15676: XSS when pasting attacker-controlled data into a contenteditable element
  • CVE-2020-15678: When recursing through layers while scrolling, an iterator may have become invalid, resulting in a potential use-after-free scenario
  • CVE-2020-15673: Memory safety bugs fixed in Firefox 81 and Firefox ESR 78.3

New in Portable Firefox ESR 78.2.0 (Sep 1, 2020)

  • Various stability, functionality, and security fixes.

New in Portable Firefox ESR 78.1.0 (Jul 30, 2020)

  • Fixed:
  • Various stability, functionality, and security fixes

New in Portable Firefox ESR 78.0.2 (Jul 30, 2020)

  • Fixed:
  • Security fix
  • Fixed an accessibility regression in reader mode (bug 1650922)
  • Made the address bar more resilient to data corruption in the user profile (bug 1649981)
  • Fixed a regression opening certain external applications (bug 1650162)

New in Portable Firefox ESR 78.0.1 (Jul 30, 2020)

  • Fixed:
  • Fixed an issue which could cause installed search engines to not be visible when upgrading from a previous release.

New in Portable Firefox ESR 78.0 (Jul 30, 2020)

  • New:
  • The Protections Dashboard includes consolidated reports about tracking protection, data breaches, and password management. New features let you:
  • Track how many breaches you’ve resolved right from the dashboard
  • See if any of your saved passwords may have been exposed in a data breach
  • To view your dashboard, type about:protections into the address bar, or select “Protections Dashboard” from the main menu.
  • Because we know people try to fix problems by reinstalling Firefox when a simple refresh is more likely to solve the issue, we’ve added a Refresh button to the Uninstaller.
  • With this release, your screen saver will no longer interrupt WebRTC calls on Firefox, making conference and video calling in Firefox better.
  • We’ve rolled out WebRender to Windows users with Intel GPUs, bringing improved graphics performance to an even larger audience.
  • Firefox 78 is also our Extended Support Release (ESR), where the changes made over the course of the previous 10 releases will now roll out to our ESR users. Some of the highlights are:
  • Kiosk mode
  • Client certificates
  • Service Worker and Push APIs are now enabled
  • The Block Autoplay feature is enabled
  • Picture-in-picture support
  • View and manage web certificates in about:certificate
  • Pocket recommendations, featuring some of the best stories on the web, will now appear on the Firefox new tab for 100% of our users in the UK. If you don’t see them, you can turn on Pocket articles in your new tab, follow these steps.
  • Fixed:
  • Various security fixes.
  • We fixed bugs in the search results quality composition and improved search result texts based on recommendations by our partners.
  • Changed:
  • The minimal system requirements on Linux have been updated. Firefox now needs GNU libc 2.17, libstdc++ 4.8.1 and GTK+ 3.14 or newer versions.
  • As part of our ongoing effort to deprecate obsolete cryptography, we have disabled all remaining DHE-based TLS ciphersuites by default.
  • To mitigate web compatibility issues from disabling DHE-based TLS ciphersuites, Firefox 78 enables two more AES-GCM SHA2-based ciphersuites.
  • We have disabled TLS 1.0 and TLS 1.1 to improve your website connections. Sites that don't support TLS version 1.2 will now show an error page.
  • The context menu (accessed by right clicking on a tab) lets you undo multiple tab closings with a single click and places Close Tabs to the Right and Close Other Tabs in a submenu.
  • A number of accessibility improvements have been made with this release:
  • When using the JAWS screen reader, pressing the down arrow in an HTML input control with a datalist no longer incorrectly moves the cursor to the next element after the input control.
  • Screen readers no longer severely lag or freeze when focusing the microphone/camera/screen sharing indicator.
  • Large tables with thousands of rows now load much faster for screen reader users.
  • Text input controls with custom styling now correctly show the focus outline when appropriate.
  • Screen readers no longer sometimes incorrectly switch to document browsing mode unexpectedly when the user enters the main Developer Tools window.
  • We reduced a number of animations such as tab hover, search bar expansion, and others to reduce motion for users with migraines and epilepsy.
  • Enterprise:
  • Enable support for client certificates stored on macOS and Windows by setting the experimental preference security.osclientcerts.autoload to true.
  • New policies allow you to configure application handlers, disable picture in picture, and require a master password, which will be renamed to ‘primary password’ in future releases.
  • Developer:
  • DevTools Console now logs uncaught promise errors with much more detailed names, stacks, and properties, particularly improving JavaScript framework debugging.
  • Debugger’s automatic mapping for minified variable names now also works for Logpoints, which makes debugger of source-mapped projects feel more seamless.
  • The Firefox DevTools’ Network panel now highlights which extension or CORS restriction blocked a request, so developers can make their sites more resilient and secure.
  • New RegExp engine in SpiderMonkey, adding support for the dotAll flag, Unicode escape sequences, lookbehind references, and named captures.

New in Portable Firefox ESR 77.0.1 (Jul 30, 2020)

  • Fixed:
  • Disabled automatic selection of DNS over HTTPS providers during a test to enable wider deployment in a more controlled way (bug 1642723)

New in Portable Firefox ESR 77.0 (Jul 30, 2020)

  • New:
  • Pocket recommendations, featuring some of the best stories on the web, will appear on the Firefox new tab for our users in the UK. If you don’t see them, you can turn on Pocket articles in your new tab, follow these steps.
  • WebRender continues its roll out to more Firefox for Windows users, now available by default on Windows 10 laptops running on Nvidia GPUs with medium (<= 3440x1440) and large screens (> 3440x1440).
  • You can view and manage web certificates more easily on the new about:certificate page.
  • Fixed: Various security fixes.
  • A number of features have been fixed to improve Firefox accessibility.
  • The applications list in Firefox Options is now accessible to screen reader users.
  • Some live regions previously didn't report updated text with the JAWS screen reader. This issue has been fixed.
  • Date/time inputs are now no longer missing labels for users of accessibility tools.
  • Changed:
  • The browser.urlbar.oneOffSearches preference has been removed. To hide one-off search buttons uncheck search engines on the about:preferences#search page

New in Portable Firefox ESR 76.0.1 (Jul 30, 2020)

  • Fixed:
  • Fixed a bug causing some add-ons such as Amazon Assistant to see multiple onConnect events, impairing functionality (bug 1635637)
  • Fixed a crash on 32-bit Windows systems with some nVidia drivers installed (bug 1635823)

New in Portable Firefox ESR 76.0 (Jul 30, 2020)

  • New:
  • With today’s release, Firefox strengthens protections for your online account logins and passwords, with innovative approaches to managing your accounts during this critical time
  • Firefox displays critical alerts in the Lockwise password manager when a website is breached;
  • If one of your accounts is involved in a website breach and you've used the same password on other websites, you will now be prompted to update your password. A key icon identifies which accounts use that vulnerable password.
  • Automatically generate secure, complex passwords for new accounts across more of the web that are easily saved right in the browser;
  • You have been able to access and see your saved passwords under Logins and Passwords easily under the main menu. If your device happens to be shared among your family or roommates, the latest update helps to prevent casual snooping over your shoulder. If you don’t have a master password set up for Firefox, Windows and macOS now requires a login to your operating system account before showing your saved passwords.
  • Picture-in-Picture allows you to multitask, the small video window following along no matter what you are doing on your computer, across different applications and even workspaces. Now, when you are ready to focus on the video, a double click can take the small window into full screen. Double click again to reduce the size again.
  • Firefox now supports Audio Worklets that will allow more complex audio processing like VR and gaming on the web; and is being adopted by some of your favorite software programs.
  • With this change, you can now join Zoom calls on Firefox without the need for any additional downloads.
  • WebRender continues its roll out to more Firefox for Windows users, now available by default on modern Intel laptops with a small screen (<= 1920x1200) for improved graphics rendering.
  • Fixed:
  • Various security fixes
  • Changed:
  • Two updates to the address bar improve its usability and visibility:
  • The shadow around the address bar field is reduced in width when a new tab is opened;
  • The bookmarks toolbar has expanded slightly in size to improve its surface area for touchscreens.
  • Developer:
  • Testing mobile interactions using DevTools’ Responsive Design Mode now mimics the device behavior for handling double-tap to zoom. This builds on previous improvements to correctly rendering meta-viewport tags, allowing developers to optimize their sites for Firefox for Android without a device.
  • Double-clicking table headers in DevTools’ network request table now resizes the column width to fit the content, making it easier to expand the important data.
  • WebSocket inspection now supports ActionCable message preview, adding to the list of automatically formatted protocols like socket.io, SignalR, WAMP, etc.

New in Portable Firefox ESR 75.0 (Jul 30, 2020)

  • With today's release, a number of improvements will help you search smarter, faster. Type less and find more with Firefox's revamped address bar:
  • Focused, clean search experience that's optimized for smaller laptop screens
  • Top sites now appear when you select the address
  • Improved readability of search suggestions with a focus on new search terms
  • Suggestions include solutions to common Firefox issues
  • On Linux, the behavior when clicking on the Address Bar and the Search Bar now matches other desktop platforms: a single click selects all without primary selection, a double click selects a word, and a triple click selects all with primary selection
  • Firefox will locally cache all trusted Web PKI Certificate Authority certificates known to Mozilla. This will improve HTTPS compatibility with misconfigured web servers and improve security.
  • Firefox is now available in Flatpak, an easier way to install and use Firefox on Linux.
  • Direct Composition is being integrated for our users on Windows to help improve performance and enable our ongoing work to ship WebRender on Windows 10 laptops with Intel graphics cards.
  • Fixed:
  • Various security fixes
  • Enterprise:
  • Experimental support for using client certificates from the OS certificate store can be enabled on macOS by setting the preference security.osclientcerts.autoload to true.
  • Enterprise policies may be used to exclude domains from being resolved via TRR (Trusted Recursive Resolver) using DNS over HTTPS.

New in Portable Firefox ESR 74.0 (Jul 30, 2020)

  • New:
  • Your login management has improved with the ability to reverse alpha sort (Name Z-A) in Lockwise, which you can access under Logins and Passwords.
  • Firefox now makes importing your bookmarks and history from the new Microsoft Edge browser on Windows and Mac simple.
  • Add-ons installed by external applications can now be removed using the Add-ons Manager (about:addons). Going forward, only users can install add-ons; they cannot be installed by an application.
  • Facebook Container prevents Facebook from tracking you around the web - Facebook logins, likes, and comments are automatically blocked on non-Facebook sites. But when we need an exception, you can now create one by adding custom sites to the Facebook Container.
  • Firefox now provides better privacy for your web voice and video calls through support for mDNS ICE by cloaking your computer’s IP address with a random ID in certain WebRTC scenarios.
  • Security fixes:
  • CVE-2020-6805: Use-after-free when removing data about origins
  • CVE-2020-6806: BodyStream::OnInputStreamReady was missing protections against state confusion
  • CVE-2020-6807: Use-after-free in cubeb during stream destruction
  • CVE-2020-6808: URL Spoofing via javascript: URL
  • CVE-2020-6809: Web Extensions with the all-urls permission could access local files
  • CVE-2020-6810: Focusing a popup while in fullscreen could have obscured the fullscreen notification
  • CVE-2020-6811: Devtools' 'Copy as cURL' feature did not fully escape website-controlled data, potentially leading to command injection
  • CVE-2019-20503: Out of bounds reads in sctp_load_addresses_from_init
  • CVE-2020-6812: The names of AirPods with personally identifiable information were exposed to websites with camera or microphone permission
  • CVE-2020-6813: @import statements in CSS could bypass the Content Security Policy nonce feature
  • CVE-2020-6814: Memory safety bugs fixed in Firefox 74 and Firefox ESR 68.6
  • CVE-2020-6815: Memory and script safety bugs fixed in Firefox 74
  • We have fixed issues involving pinned tabs such as being lost. You should also no longer see them reorder themselves.
  • Changed:
  • When a video is uploaded with a batch of photos on Instagram, the Picture-in-Picture toggle would sit atop of the “next” button. The toggle is now moved allowing you to flip through to the next image of the batch.
  • On Windows, Ctrl+I can now be used to open the Page Info window instead of opening the Bookmarks sidebar. Ctrl+B still opens the Bookmarks sidebar making keyboard shortcuts more useful for our users.
  • We have disabled TLS 1.0 and TLS 1.1 to improve your website connections. Sites that don't support TLS version 1.2 will now show an error page.
  • Developer:
  • Firefox’s Debugger added support for debugging Nested Web Workers, so their execution can be paused and stepped through with breakpoints
  • Web Platform:
  • Firefox has added support for the new JavaScript optional chaining operator (?.) and CSS text-underline-position.

New in Portable Firefox ESR 73.0.1 (Jul 30, 2020)

  • Fixed:
  • Fixed crashes on Windows systems running third-party security software such as 0patch or G DATA (bug 1610790)
  • Fixed loss of browser functionality in certain circumstances such as running in Windows compatibility mode or having custom anti-exploit settings (bug 1614885)
  • Resolved problems connecting to the RBC Royal Bank website (bug 1613943)
  • Fixed Firefox unexpectedly exiting when leaving Print Preview mode (bug 1611133)

New in Portable Firefox ESR 73.0 (Jul 30, 2020)

  • New:
  • Today’s Firefox release includes two features that help users view and read website content more easily, quickly. Like all accessibility improvements, these features improve browsing for everyone.
  • Firefox has offered a page zoom feature for more than a decade that allows users to set the zoom level on a per-site basis. For users who need to zoom most websites, having to adjust zoom for each new site can be an annoyance. To address this, we have implemented a new global default zoom level setting. This option is available in about:preferences under "Language and Appearance" and can be scaled up or down from 100% as needed and sets the default zoom level for all sites. Per-site zoom is still available to make adjustments to individual sites as needed.
  • Many users with low vision rely on Windows' High Contrast Mode to make websites more readable. Traditionally, to increase the readability of text, Firefox has disabled background images when High Contrast Mode is enabled. With today’s release of Firefox 73, we introduce a “readability backplate” solution which places a block of background color between the text and background image. Now, websites in High Contrast Mode are more readable without disabling background images.
  • Fixed:
  • Various security fixes.
  • Improved audio quality when playing back audio at a faster or slower speed.
  • Firefox will now only prompt you to save logins if a field in a login form was modified.
  • Changed:
  • WebRender rollout has been expanded to include Windows 10 laptops running NVIDIA graphics cards with drivers newer than 432.00 and screen sizes smaller than 1920x1200.
  • Developer:
  • WAMP-formatted WebSocket messages (JSON, MsgPack and CBOR) are now nicely decoded for inspection in the Network panel.
  • Web Platform:
  • Improved auto-detection of legacy text encodings on old web pages which don’t explicitly declare the text encoding.
  • Unresolved:
  • Users with 0patch security software may encounter crashes at startup after updating to Firefox 73. This will be fixed in a future Firefox release. As a workaround, an exclusion for firefox.exe can be added within the 0patch settings.

New in Portable Firefox ESR 72.0.1 (Jul 30, 2020)

  • Security Vulnerabilities fixed in Firefox 72.0.1 and Firefox ESR 68.4.1:
  • Announced January 8, 2020
  • Impact, critical
  • Products
  • Firefox, Firefox ESR
  • CVE-2019-17026, IonMonkey type confusion with StoreElementHole and FallibleStoreElement:
  • Impact, critical
  • Description - Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion. We are aware of targeted attacks in the wild abusing this flaw.

New in Portable Firefox ESR 72.0 (Jul 30, 2020)

  • New:
  • Firefox’s Enhanced Tracking Protection marks a major new milestone in our battle against cross-site tracking: we now block fingerprinting scripts by default for all users, taking a new bold step in the fight for our users’ privacy.
  • Firefox replaces annoying notification request pop-ups with a more delightful experience, by default for all users. The pop-ups no longer interrupt your browsing, in its place, a speech bubble will appear in the address bar when you interact with the site.
  • Picture-in-picture video is now also available in Firefox for Mac and Linux: Select the blue icon from the right edge of a video to pop open a floating window so you can keep watching while working in other tabs or apps. Learn how the feature works.
  • Fixed:
  • Various security fixes
  • Changed:
  • Support for blocking images from individual domains has been removed from Firefox, because of low usage and poor user experience.
  • Enterprise:
  • Experimental support for using client certificates from the OS certificate store can be enabled by setting the preference security.osclientcerts.autoload to true (Windows only).
  • Developer:
  • Debugger Watchpoints let developers observe object property access and writes for easier to track data flow through an application.
  • Firefox now supports simulation of meta viewport in Responsive Design Mode.

New in Portable Firefox ESR 71.0 (Jul 30, 2020)

  • New:
  • Improvements to Lockwise, our integrated password manager:
  • Firefox now recognizes subdomains and will autofill domain logins from Lockwise
  • Integrated breach alerts from Firefox Monitor are now available to users with screen readers
  • More information about Enhanced Tracking Protection in action:
  • Notifications when Firefox blocks cryptominers
  • A running tally of blocked trackers in the protection panel accessed by clicking the address bar shield
  • Picture-in-picture video comes to Firefox for Windows: Select the blue icon from the right edge of a video to pop open a floating window so you can keep watching while working in other tabs. Learn how the feature works.
  • Native MP3 decoding on Windows, Linux, and macOS
  • Fixed:
  • Various security fixes.
  • Changed:
  • Configuration page (about:config) reimplemented in HTML
  • Firefox will now ship with Catalan (Valencian) (ca-valencia), Tagalog (tl), and Triqui (trs)
  • Enterprise:
  • New kiosk mode functionality, which allows maximum screen space for customer-facing displays
  • Developer:
  • New videos every week on the Mozilla Developer YouTube channel
  • Improvements to the website certificate viewer, with more features and more detailed information
  • Improvements to the extensions downloads API for handling download failures
  • Extension popup windows now include the extension name instead of its moz-extension:// url when using the windows.create API
  • Extension-registered devtools panels now interact better with screen readers
  • Added support for developers, including:
  • DevTools’ Network panel can now inspect WebSocket messages and automatically formats a variety of framework formats
  • Console’s new multi-line editor mode provides an IDE-like experience that makes it convenient to iterate on longer code snippets
  • The Network panel’s new resource blocking can simulate the impact of tracking protection, security, service outages, and bad connectivity for more robust testing
  • More features and improvements can be found every release in DevTools’ “What’s New” panel in en-US

New in Portable Firefox ESR 70.0.1 (Jul 30, 2020)

  • Fixed:
  • Fix for an issue that caused some websites or page elements using dynamic JavaScript to fail to load. (Bug 1592136)
  • Update OpenH264 video plugin for macOS 10.15 users (Bug 1587543)
  • Title bar no longer shows in full screen view (Bug 1588747)
  • Changed:
  • OpenH264 video codec version bump for macOS 10.15 users (Bug 1587543)

New in Portable Firefox ESR 70.0 (Jul 30, 2020)

  • NEW:
  • More privacy protections from Enhanced Tracking Protection:
  • Social tracking protection, which blocks cross-site tracking cookies from sites like Facebook, Twitter, and LinkedIn, is now a standard feature of Enhanced Tracking Protection.
  • The Privacy Protections report shows an overview, with details, of the trackers Firefox has blocked. It provides consolidated reports from Monitor and Lockwise.
  • More security protections from Firefox Lockwise, our digital identity and password management tool:
  • Lockwise for desktop lets you create, update, and delete your logins and passwords to sync across all your devices, including the Lockwise mobile apps and Firefox mobile browsers
.
  • Integrated breach alerts from Firefox Monitor, to alert you when saved logins and passwords are compromised in online data breaches.
  • Complex password generation, to help you create and save strong passwords for new online accounts.
  • Improvements to core engine components, for better browsing on more sites:
  • A faster Javascript Baseline Interpreter to handle the modern web’s
  • large codebases and improve page load performance by as much as 8
  • percent.
  • WebRender rolled out to more Firefox for Windows users, now available by default on Windows desktops with integrated Intel graphics cards and resolution of 1920x1200 or less) for improved graphics rendering.
  • Compositor improvements in Firefox for macOS that reduce power
  • consumption, speed up page load by as much as 22 percent, and reduce resource use for video by up to 37 percent.
  • More browser features to help you get the most out of Firefox products and services:
  • A stand-alone Firefox account menu for easy access to Firefox services like Monitor and Send.
  • A message panel accessed from the gift icon in the toolbar that offers a quick overview of new releases and key features.
  • When a website uses your geolocation, an indicator is shown in the
  • address bar.
  • CHANGED:
  • Built-in Firefox pages now follow the system dark mode preference
  • Aliased theme properties have been removed, which may affect some themes
  • Passwords can now be imported from Chrome on macOS in addition to existing support for Windows
  • Readability is now greatly improved on under- or overlined texts, including links. The lines will now be interrupted instead of crossing over a glyph.
  • Improved privacy and security indicators:
  • A new crossed-out lock icon will indicate sites delivered via
  • insecure HTTP
  • The formerly green lock icon is now grey
  • The Extended Validation (EV) indicator has been moved to the identity
  • popup that appears when clicking the lock icon
  • DEVELOPER:
  • The Developer Tools Accessibility panel now includes an audit for keyboard accessibility and a color deficiency simulator for systems with WebRender enabled
  • Inactive CSS: The Inspector now grays out CSS declarations that don’t affect the selected element and shows a tooltip explaining why -- and even how to fix it.
  • The new DOM Mutation Breakpoints in Developer Tools allows developers to diagnose when scripts add, remove or update page content. This makes debugging of complex script interactions and dependencies a lot easier.
  • WebExtensions developers can now inspect browser.storage.local data using the "Addon Debugging" Firefox Developer Tools.
  • With new network resource search in Developer Tools, you can quickly find resources based on their request and response data, including headers, cookies and content.
  • VARIOUS SECURITY FIXES:
  • CVE-2018-6156: Heap buffer overflow in FEC processing in WebRTC
  • CVE-2019-15903: Heap overflow in expat library in XML_GetCurrentLineNumber
  • CVE-2019-11757: Use-after-free when creating index updates in IndexedDB
  • CVE-2019-11759: Stack buffer overflow in HKDF output
  • CVE-2019-11760: Stack buffer overflow in WebRTC networking
  • CVE-2019-11761: Unintended access to a privileged JSONView object
  • CVE-2019-11762: document.domain-based origin isolation has same-origin-property violation
  • CVE-2019-11763: Incorrect HTML parsing results in XSS bypass technique
  • CVE-2019-11765: Incorrect permissions could be granted to a website
  • CVE-2019-17000: CSP bypass using object tag with data: URI
  • CVE-2019-17001: CSP bypass using object tag when script-src 'none' is specified
  • CVE-2019-17002: upgrade-insecure-requests was not being honored for links dragged and dropped
  • CVE-2019-11764: Memory safety bugs fixed in Firefox 70 and Firefox ESR 68.2

New in Portable Firefox ESR 69.0.3 (Jul 30, 2020)

  • Fixed:
  • Fixed download errors for Windows 10 users with Parental Controls enabled (bug 1586228)
  • Fixed Yahoo mail users being prompted to download files when clicking on emails (bug 1582848)

New in Portable Firefox ESR 69.0.2 (Jul 30, 2020)

  • Fixed:
  • Fixed a crash when editing files on Office 365 websites (bug 1579858)
  • Fixed detection of the Windows 10 Parental Controls feature being enabled (bug 1584613)

New in Portable Firefox ESR 69.0 (Jul 30, 2020)

  • New:
  • Enhanced Tracking Protection (ETP) rolls out stronger privacy protections:
  • The default standard setting for this feature now blocks third-party tracking cookies and cryptominers.
  • The optional strict setting blocks fingerprinters as well as the items blocked in the standard setting.
  • The Block Autoplay feature is enhanced to give users the option to block any video that automatically starts playing, not just those that automatically play with sound.
  • For our users in the US or using the en-US browser, we are shipping a new “New Tab” page experience that connects you to the best of Pocket’s content.
  • Support for the Web Authentication HmacSecret extension via Windows Hello now comes with this release, for versions of Windows 10 May 2019 or newer, enabling more passwordless experiences on the web.
  • Support for receiving multiple video codecs with this release makes it easier for WebRTC conferencing services to mix video from different clients.
  • For our users on Windows 10, you’ll see performance and UI improvements:
  • Firefox will give Windows hints to appropriately set content process priority levels, meaning more processor time spent on the tasks you're actively working on, and less processor time spent on things in the background (with the exception of video and audio playback).
  • For our existing Windows 10 users, you can easily find and launch Firefox from a shortcut on the Win10 taskbar.
  • For our users on macOS, battery life and download UI are both improved:
  • macOS users on dual-graphics-card machines (like MacBook Pro) will switch back to the low-power GPU more aggressively, saving battery life.
  • Finder on macOS now displays download progress for files being downloaded.
  • JIT support comes to ARM64 for improved performance of our JavaScript Optimizing JIT compiler.
  • Fixed:
  • Various security fixes
  • Changed:
  • As previously announced in the Plugin Roadmap for Firefox, the "Always Activate" option for Flash plugin content has been removed. Firefox will now always ask for user permission before activating Flash content on a website.
  • With the deprecation of Adobe Flash Player, there is no longer a need to identify users on 32-bit version of the Firefox browser on 64-bit version operating systems reducing user agent fingerprinting factors providing greater level of privacy to our users as well as improving the experience of downloading other apps.
  • Firefox no longer loads userChrome.css or userContent.css by default improving start-up performance. Users who wish to customize Firefox by using these files can set the toolkit.legacyUserProfileCustomizations.stylesheets preference to true to restore this ability.
  • Enterprise:
  • For Enterprise system administrators that manage macOS computers, we begin shipping a Mozilla signed PKG installer to simplify your deployments.
  • Developer:
  • For our mobile web developers, we have migrated remote debugging from the old WebIDE into a re-designed about:debugging, making debugging GeckoView on remote devices via USB rock solid.
  • The network panel will now show blocked resources to allow developers to best understand the impact of content blocking and ad blocking extensions given our ongoing expansion of Enhanced Tracking Protection to all users with this release.
  • The new event listener breakpoint feature allows developers to pause on a host of different event types, whether it be related to animations, DOM, media, mouse, touch, worker, and many other event types.
  • Firefox Developer Tools now offers an audit for the presence of text alternatives for non-text content, the a11y panel checks toolbar has been augmented to better help developers adhere to WCAG Guideline 1.1.

New in Portable Firefox ESR 68.10.0 (Jul 1, 2020)

  • Various security fixes
  • Various stability and regression fixes

New in Portable Firefox ESR 68.9.0 (Jun 2, 2020)

  • Various stability and security fixes:
  • CVE-2020-12399: Timing attack on DSA signatures in NSS library
  • CVE-2020-12405: Use-after-free in SharedWorkerService
  • CVE-2020-12406: JavaScript Type confusion with NativeTypes
  • CVE-2020-12410: Memory safety bugs fixed in Firefox 77 and Firefox ESR 68.9

New in Portable Firefox ESR 68.7.0 (Apr 8, 2020)

  • Various stability and security fixes:
  • CVE-2020-6828: Preference overwrite via crafted Intent from malicious Android application
  • CVE-2020-6827: Custom Tabs in Firefox for Android could have the URI spoofed
  • CVE-2020-6821: Uninitialized memory could be read when using the WebGL copyTexSubImage method
  • CVE-2020-6822: Out of bounds write in GMPDecodeData when processing large images
  • CVE-2020-6825: Memory safety bugs fixed in Firefox 75 and Firefox ESR 68.7

New in Portable Firefox ESR 68.6.0 (Mar 12, 2020)

  • Security fixes:
  • CVE-2020-6805: Use-after-free when removing data about origins
  • CVE-2020-6806: BodyStream::OnInputStreamReady was missing protections against state confusion
  • CVE-2020-6807: Use-after-free in cubeb during stream destruction
  • CVE-2020-6811: Devtools' 'Copy as cURL' feature did not fully escape website-controlled data, potentially leading to command injection
  • CVE-2019-20503: Out of bounds reads in sctp_load_addresses_from_init
  • CVE-2020-6812: The names of AirPods with personally identifiable information were exposed to websites with camera or microphone permission
  • CVE-2020-6814: Memory safety bugs fixed in Firefox 74 and Firefox ESR 68.6

New in Portable Firefox ESR 68.5.0 (Feb 12, 2020)

  • Various stability and security fixes

New in Portable Firefox ESR 68.4.2 (Jan 21, 2020)

  • Fixed various issues opening files with spaces in their path

New in Portable Firefox ESR 68.4.1 (Jan 11, 2020)

  • Security fix:
  • CVE-2019-17026: IonMonkey type confusion with StoreElementHole and FallibleStoreElement
  • Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion. We are aware of targeted attacks in the wild abusing this flaw.

New in Portable Firefox ESR 60.8.0 (Jul 10, 2019)

  • Various security fixes

New in Portable Firefox ESR 60.6.3 (May 9, 2019)

  • Further improvements to re-enable web extensions which had been disabled for users with a master password set

New in Portable Firefox ESR 60.5.2 (Feb 25, 2019)

  • Fixed a frequent crash when reading various Reuters news articles (bug 1505844)

New in Portable Firefox ESR 60.5.1 (Feb 22, 2019)

  • various security fixes

New in Portable Firefox ESR 60.3.0 (Oct 29, 2018)

  • CVE-2018-12391: HTTP Live Stream audio data is accessible cross-origin
  • CVE-2018-12392: Crash with nested event loops
  • CVE-2018-12393: Integer overflow during Unicode conversion while loading JavaScript
  • CVE-2018-12395: WebExtension bypass of domain restrictions through header rewriting
  • CVE-2018-12396: WebExtension content scripts can execute in disallowed contexts
  • CVE-2018-12397:
  • A WebExtension can request access to local files without the warning prompt stating
  • that the extension will "Access your data for all websites" being displayed to the
  • user. This allows extensions to run content scripts in local pages without permission
  • warnings when a local file is opened.
  • CVE-2018-12389: Memory safety bugs fixed in Firefox ESR 60.3

New in Portable Firefox ESR 60.2.2 (Oct 4, 2018)

  • Fixed:
  • Fixed hangs on macOS Mojave (10.14) when various dialog windows (upload, download, print, etc) are activated (bug 1489785)
  • Various security fixes:
  • CVE-2018-12386: Type confusion in JavaScript:
  • A vulnerability in register allocation in JavaScript can lead to type confusion, allowing for an arbitrary read and write. This leads to remote code execution inside the sandboxed content process when triggered.
  • CVE-2018-12387:
  • A vulnerability where the JavaScript JIT compiler inlines Array.prototype.push with multiple arguments that results in the stack pointer being off by 8 bytes after a bailout. This leaks a memory address to the calling function which can be used as part of an exploit inside the sandboxed content process.

New in Portable Firefox ESR 60.2.1 (Oct 4, 2018)

  • Fixed:
  • Disabled multiprocess support for users running old versions of the JAWS screen reader software (bug 1489605)
  • Fixed a startup crash affecting users migrating from older ESR releases (bug 1489744)
  • Clean up old NSS DB files after upgrading (bug 1475775)
  • Various security fixes:
  • CVE-2018-12385: Crash in TransportSecurityInfo due to cached data:
  • A potentially exploitable crash in TransportSecurityInfo used for SSL can be triggered by data stored in the local cache in the user profile directory. This issue is only exploitable in combination with another vulnerability allowing an attacker to write data into the local cache or from locally installed malware. This issue also triggers a non-exploitable startup crash for users switching between the Nightly and Release versions of Firefox if the same profile is used.
  • CVE-2018-12383: Setting a master password post-Firefox 58 does not delete unencrypted previously stored passwords:
  • If a user saved passwords before Firefox 58 and then later set a master password, an unencrypted copy of these passwords is still accessible. This is because the older stored password file was not deleted when the data was copied to a new format starting in Firefox 58. The new master password is added only on the new file. This could allow the exposure of stored password data outside of user expectations.

New in Portable Firefox ESR 60.2.0 (Oct 4, 2018)

  • Various stability and regression fixes
  • Various security fixes:
  • CVE-2018-12377: Use-after-free in refresh driver timers:
  • A use-after-free vulnerability can occur when refresh driver timers are refreshed in some circumstances during shutdown when the timer is deleted while still in use. This results in a potentially exploitable crash.
  • CVE-2018-12378: Use-after-free in IndexedDB:
  • A use-after-free vulnerability can occur when an IndexedDB index is deleted while still in use by JavaScript code that is providing payload values to be stored. This results in a potentially exploitable crash.
  • CVE-2018-12379: Out-of-bounds write with malicious MAR file:
  • When the Mozilla Updater opens a MAR format file which contains a very long item filename, an out-of-bounds write can be triggered, leading to a potentially exploitable crash. This requires running the Mozilla Updater manually on the local system with the malicious MAR file in order to occur.
  • CVE-2017-16541: Proxy bypass using automount and autofs:
  • Browser proxy settings can be bypassed by using the automount feature with autofs to create a mount point on the local file system. Content can be loaded from this mounted file system directly using a file: URI, bypassing configured proxy settings.
  • Note: this issue only affects OS X in default configurations. On Linux systems, autofs must be installed for the vulnerability to occur and Windows is not affected.
  • CVE-2018-12381: Dragging and dropping Outlook email message results in page navigation:
  • Manually dragging and dropping an Outlook email message into the browser will trigger a page navigation when the message's mail columns are incorrectly interpreted as a URL.
  • Note: this issue only affects Windows operating systems with Outlook installed. Other operating systems are not affected.
  • CVE-2018-12376: Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2:
  • Mozilla developers and community members Alex Gaynor, Boris Zbarsky, Christoph Diehl, Christian Holler, Jason Kratzer, Jed Davis, Tyson Smith, Bogdan Tara, Karl Tomlinson, Mats Palmgren, Nika Layzell, Ted Campbell, and Andrei Cristian Petcu reported memory safety bugs present in Firefox 61 and Firefox ESR 60.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code.

New in Portable Firefox ESR 60.1.0 (Jul 11, 2018)

  • Various security fixes
  • Various stability and regression fixes

New in Portable Firefox ESR 52.8.1 (Jun 14, 2018)

  • Security fixes:
  • A heap buffer overflow can occur in the Skia library when rasterizing paths using a maliciously crafted SVG file with anti-aliasing turned off. This results in a potentially exploitable crash.

New in Portable Firefox ESR 60.0.2 (Jun 7, 2018)

  • CVE-2018-6126: Heap buffer overflow rasterizing paths in SVG with Skia:
  • A heap buffer overflow can occur in the Skia library when rasterizing paths using a maliciously crafted SVG file with anti-aliasing turned off. This results in a potentially exploitable crash.

New in Portable Firefox ESR 52.8.0 (May 10, 2018)

  • Various security fixes
  • Various stability and regression fixes
  • Performance improvements to the Safe Browsing service to avoid slowdowns while updating site classification data

New in Portable Firefox ESR 52.7.4 (May 5, 2018)

  • Fix for compatibility with Windows 10 April 2018 update (Bug 1452619)

New in Portable Firefox ESR 52.7.3 (Mar 27, 2018)

  • Security fixes:
  • Use-after-free in compositor

New in Portable Firefox ESR 52.7.2 (Mar 18, 2018)

  • Various security fixes

New in Portable Firefox ESR 52.6.0 (Jan 24, 2018)

  • Various stability and regression fixes
  • Various security fixes

New in Portable Firefox ESR 52.5.3 (Dec 28, 2017)

  • Fixed:
  • Fix a crash reporting issue that inadvertently sends background tab crash reports to Mozilla without user opt-in (bug 1427111)

New in Portable Firefox ESR 52.5.2 (Dec 9, 2017)

  • Various security fixes

New in Portable Firefox ESR 52.5.0 (Nov 15, 2017)

  • Various security fixes
  • Various stability and regression fixes

New in Portable Firefox ESR 52.4.0 (Sep 29, 2017)

  • Various security fixes
  • Various stability and regression fixes

New in Portable Firefox ESR 52.3.0 (Aug 9, 2017)

  • Fixed:
  • Various stability and regression fixes
  • Various security fixes

New in Portable Firefox ESR 52.2.1 (Jul 6, 2017)

  • Printing text does not work on Windows when Direct2D is disabled (Bug 1318845)

New in Portable Firefox ESR 52.2.0 (Jun 15, 2017)

  • Fixed:
  • Various security fixes
  • Changed:
  • Improved file type recognition on Windows