Firefox 47 Fixes 13 Vulnerabilities, Removes Click-To-Activate Plugin Whitelist

Mozilla fixed 13 security issues, including two critical vulnerabilities that could have led to spoofing and clickjacking, among other issues, when it updated Firefox to the latest build, Firefox 47, this week.

Mozilla fixed 13 security issues, including two critical vulnerabilities that could have led to spoofing and clickjacking, among other issues, when it updated Firefox to the latest build, Firefox 47, this week.

One of the issues, a buffer overflow, could have resulted in a potentially exploitable crash according to an advisory published by the company on Tuesday. According a security researcher that goes by the handle firehack, the overflow could have popped up when the browser parsed HTML5 fragments in a foreign context. When a fragment was inserted into an existing document, it could’ve crashed the browser.

The second critical issue corresponds to not one, but several memory safety bugs reported by 14 different Mozilla developers and community members. The details of the bugs weren’t revealed, but according to the advisory the likeliness that some could be exploited to run arbitrary code was high enough that it warranted fixing.

A handful of vulnerabilities branded high by the company were also fixed in Firefox this week, including two out-of-bounds write vulnerabilities and two use-after-free vulnerabilities. If exploited they could lead to privilege escalation, a potential crash, and persistent denial of service attacks, to name a few outcomes. In addition to the DoS attack, an attacker would be able to manipulate pointerlock, a web API, so that it could lead to spoofing and clickjacking attacks, Mozilla warns.

Firefox 47 also switches all NPAPI plugins, other than Flash, to click-to-activate by default.

The whitelist plugin has been expired in the eyes of Mozilla developers for a while now. Mozilla previously announced plans to completely remove support for NPAPI plugins in Firefox by the end of 2016. This week’s move should preemptively help thwart attackers who have increasingly preyed on plugin exploits. Benjamin Smedberg, an Engineering Manager at Mozilla rationalized a few months ago that there would be a minority of users affected by the move, but the bulk of the plugins are neither used nor relevant. Either way, users should still be able to activate them manually.

For the most part, plugins have remained a steady source of performance problems, crashes, and security incidents for users, regardless of the browser. Google’s Chrome browser and Microsoft’s Edge browser have already removed support for legacy plugins over the past year.

The latest Firefox update also brings a handful of aesthetic changes to the browser, including improvements to YouTube playback, a sidebar for synced tabs, and a number of web platform changes. The update can be applied either through Firefox’s update mechanism, through Some Android users who update Firefox through Google Play will be doing so for the last time. Mozilla previously announced that Firefox 47 is the last version Android Gingerbread it will support.

Suggested articles


  • JC on

    Java is listed in my Firefox a plug in. You mean instead of "Always activate" I will have to click to activate on every web page?
  • maureen nelson on

    I am having some issues in firefox. One is when I open one tab, I get two or more. When I am in facebook and need to change my news feed preference, it clicks the link under the preference instead of changing my reference. I also uninstalled adobe flash as it somehow updated yesterday and caused more problems like making my web page or control panel turning gray at the top and unusable. The version I am running now is 43.0.1. I am still using winXP because I like it.
    • maureen nelson on

      I apparently now can't play video after uninstalling adobe flash. I thought that mozzilla was dumping adobe. Is there anything else I can use? Adobe made it hard to use my computer and would lock up any open windows I had.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.