The Mozilla Foundation released updates for Firefox 62 and Firefox ESR 60.2 to fix several vulnerabilities, including two rated critical.

In Firefox 62 the critical issues are CVE-2018-12388 and CVE-2018-12390, which is also in Firefox ESR 60.2, Mozilla reported. Both are memory safety bugs that showed some evidence of memory corruption that possibly with enough effort could be used to run arbitrary code.

Both Firefox products also had three high-rated flaws, CVE-2018-12391, CVE-2018-12392 and CVE-2018-12393. The first fixes a situation where during HTTP Live Stream playback on Firefox for Android desktop, audio data can be accessed across origins in violation of security policies. The second vulnerability is that while manipulating user events in nested loops while opening a document through script, it is possible to trigger a potentially exploitable crash due to poor event handling. The third is an integer overflow during Unicode conversion while loading JavaScript reporter could result in allocating a buffer that is too small for the conversion leading to a possible out-of-bounds write.

There are also three moderate issues shared between both that were addressed, CVE-2018-12395, CVE-2018-12396, CVE-20186-and CVE-2018-12397 while CVE-2018-12398 just affected Firefox 62.

All the vulnerabilities are fixed by updating to Firefox 63 and ESR 60.3.