Mozilla patches two critical security issues in Firefox and Thunderbird

Martin Brinkmann
May 21, 2022

Mozilla published updates for its Firefox and Firefox ESR web browsers on May 20, 2022. The Thunderbird development team released a patch for the email client as well. The security updates patch two critical security issues in the Firefox web browser and Thunderbird.

Here is the list of products with updates:

  • Firefox 100.0.2
  • Firefox ESR 91.9.1
  • Firefox for Android 100.3
  • Thunderbird 91.9.1

The updates are available already, and most user installations will be updated automatically. Desktop users who don't want to wait until that happens may run a manual check for updates to speed up the installation.

  • Firefox: select Menu > Help > About Firefox. Firefox runs a manual check for updates. Any update that is found will be downloaded and installed.
  • Thunderbird: select Help > About Thunderbird. Thunderbird will also check for updates and install any that it finds.

Note: Firefox for Android is updated via Google Play. There is no option to speed up the delivery of updates on Android via Google Play.

The official release notes list a single entry, that confirm the security nature of the update. Mozilla published a security advisory for all affected versions of the web browser that provide additional details on the issues:

There, users find out that two security issues have been patched in the update. Both issues have the severity rating of critical, the highest rating that is available. They were reported to Mozilla by Manfred Paul via Trend Micro's Zero Day Initiative.

CVE-2022-1802: Prototype pollution in Top-Level Await implementation

If an attacker was able to corrupt the methods of an Array object in JavaScript via prototype pollution, they could have achieved execution of attacker-controlled JavaScript code in a privileged context.

CVE-2022-1529: Untrusted input used in JavaScript object indexing, leading to prototype pollution

An attacker could have sent a message to the parent process where the contents were used to double-index into a JavaScript object, leading to prototype pollution and ultimately attacker-controlled JavaScript executing in the privileged parent process.

The linked bug reports are restricted. Mozilla makes no mention of attacks in the wilds that target these vulnerabilities.

Firefox and Thunderbird users may want to update their applications quickly to protect them against attacks targeting these issues.

Now You: when do you update your applications?

Mozilla patches two critical security issues in Firefox and Thunderbird
Article Name
Mozilla patches two critical security issues in Firefox and Thunderbird
Mozilla published security updates for its Firefox and Firefox ESR web browsers on May 20, 2022. The Thunderbird development team released a patch for the email client as well.
Ghacks Technology News

Tutorials & Tips

Previous Post: «
Next Post: «


  1. Acun said on May 22, 2022 at 8:37 pm

    Martin Why no more articles about tor browser

  2. TimH said on May 21, 2022 at 4:12 pm

    What has Javascript got to do with email messages in Thunderbird, which is the only attack vector?

  3. Tom Hawack said on May 21, 2022 at 10:58 am

    > “Now You: when do you update your applications?”

    I update immediately when critical fixes are concerned but I usually wait & see otherwise : an update is not necessarily an improvement. Firefox is somewhat apart : unless the fix concerns a given platform specifically I always update, moreover with a clean install (takes me 10 minutes), because auto-updates (Firefox, extensions) are disabled and because I don’t want the full install to be processed over the current one.

    Houston, the fox 100.0.2 has landed. It’s one small digit for a browser but a giant leap for security. I guess because frankly this time I don’t understand at all what the release note describes …

    1. Hitomi said on May 21, 2022 at 11:09 am

      I always update. Clonezilla and profile backups can revert any bad change.

      Profile backups can be automatically run via taskshed:

      @echo off
      echo Checking if Firefox is closed properly
      tasklist /FI “IMAGENAME eq firefox.exe” 2>NUL | find /I /N “firefox.exe”>NUL
      if “%ERRORLEVEL%”==”0” GOTO END
      echo SUCCESS
      7z a subdir\
      echo FAIL
      echo Firefox is still running and the backup cannot start

      1. Andy Prough said on May 21, 2022 at 6:12 pm

        More good reasons to leave all js disabled by default. uBlock Origin in advanced mode gives a good way to keep js disabled, and only allow certain scripts that you find necessary to the functioning of the site.

      2. Tom Hawack said on May 21, 2022 at 11:39 am

        @Hitomi, I always backup my Firefox profile(s) but these are not concerned when updating Firefox : when I mention the clean install I mean that I uninstall the Firefox application first, but not of course its profile(s).

        Thanks for batch code. Here all backups (and I’ve got quite many) are processed with the SyncBackSE application which I’ve used for years and… never updated since version (free edition) :=) …

      3. Hitomi said on May 21, 2022 at 12:02 pm

        Always use what worked well for you and never let anyone talk you out of it ;)

        My actual code is a bit more complex as I remove directories and files that store no relevant profile data, then I perform an sqlite vacuum command over all databases to shrink them. But that just scrubs like 10MB of every backup.

        It is more of an example code, the only important step here is to check firefox had a clean exit and no dead process is locking files and DBs in the background.

      4. Tom Hawack said on May 21, 2022 at 12:25 pm

        @Hitomi, well I guess it’s not because our own processes work fine for us that others may not work better! All experiences are worth being shared. Problems arise between people when one of us asserts his way of proceeding, his choices are the best, the only, the ultimate … :=)

        Concerning databases’ vacuum, I think you’re so right. I use the ‘Speedyfox’ application to perform this.

        About backups themselves : you know this but maybe is it worth being reminded : a backup must necessarily be a mirror backup if the aim is to have an exact copy : if the source has added files then the backup will include them, no problem … BUT if the source no longer has files which had been previously backed up then the new “standard” backup will not remove those removed files, leading to a wrong restoration. Mirror backup (which the SyncBackSE application allows) will add a source’s new files AND remove files which are no longer in the Source …

        I’m pointing this out because I had encountered, “in the beginning, in the beginning, long time ago…” issues when restoring a non-image-backup … and discovering restored files which were inappropriate.

      5. Hitomi said on May 21, 2022 at 3:00 pm

        I don’t use incremental or journaling type of backups. All my backups are cumulative and 1:1. Currently at the leisure to have 4TB external space to use for images. At full XZ compression a 50GB NVME Backup shrinks to a 20GB image. My software needs are modest, a backup for me preserves my genuine activations and hour long OS configuration. Inane hobbies such as gaming are on a separate SATA SSD. Personal files are on an old school HDD.

        OS and personal files have their own backup with the rule of three: Desktop+NAS+offline external drive. In separate locations in case of fire. Gaming uses the cloud meme backup, as gaming saves are not considered private to myself. Also games can be re-downloaded from the forced gaming accounts. GOG is a good DRM free company if that is important.

        Since I don’t know SyncBackSE, I have no insight how it works. As I don’t care for ECC RAM, i check integrity manually with hashes. If every file is stable over an extended period, no data loss can occur. Bit rot is mostly a meme. But I am ranting about random thoughts at this point.

        Bush as in the senile president?

        This was some recent comedy gold.

      6. Tom Hawack said on May 21, 2022 at 4:03 pm

        OK, nice environment and smart operations, mine are far more modest and basic. Anyway the main thing here is our data, so if we manage to save and restore it then all is fine.

        Bush Jr. himself indeed. Videos flourished everywhere, with as always exaggerated comments. Funny OK, but anyone can mistake. After the gaffe another fun are the hysterical titles you see here and thee… that’s how it goes nowadays. Too much of everything, lasts a few days, then all forgotten. Hurricanes.

      7. Tom Hawack said on May 21, 2022 at 12:49 pm

        EDIT, sorry!

        I wrote above :

        “I’m pointing this out because I had encountered, “in the beginning, in the beginning, long time ago…” issues when restoring a non-image-backup … and discovering restored files which were inappropriate.”

        when I should have written :
        ” […] when restoring a non-mirror-backup […] : “mirror”, not “image” of course.

        Like Bush, “hmm…75″, worse even ‘hmm… 68” in my case, triple lol!

  4. Paul(us) said on May 21, 2022 at 10:38 am

    Browsers-wise I update almost directly. This is because when the update is going wrong the removal and reinstalment of an older version, with all the settings and bookmarks is work of minutes.
    Most applications and drivers are also almost directly updated by me.

    With Linux o.s. almost directly, Raspberry pi o.s. idem, but with Windows o.s. I am always very careful and it can take months before I update.
    My standard with windows is to wait and see what the community experiences, wait for the solutions and only then install.

    However, I have also skipped entire operating systems versions such as Windows 1,2, and 3.0, Windows ME, Windows 2000, Windows Vista Windows 8, and Windows 8.1 (And other releases).

    The development of Windows 11 so far also looks as if it’s the next candidate of Windows that I am not going to install at all.
    Windows 12, might have a chance again but I am not sure about that eater yet because there is practically nothing known about with direction that o.s. is going.

    1. Hitomi said on May 21, 2022 at 11:03 am

      Didn’t have an update “go wrong” in years. After the switch to webextensions there were no grave changes anymore that could have affected my user profile. Also disable browser experiments in about:config.

      For security it is best to be on beta channel, as you receive fixes earlier most of the time unless it is a 0day.

      my 2cents

  5. Anonymous said on May 21, 2022 at 7:34 am


    Now You: when do you update your applications?

    Complex question. It depends
    1) When advice about critical updates is sighted
    2) Windows is done early in the month before patch Tuesday and after researching updates
    3 Browsers and T’Bird normally update themselves (but see 1)
    4) Other programs are done when in the mood.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.