Flaws that might have enabled cross-domain data leakage were patched.
Flaws that might have enabled cross-domain data leakage were patched.

A number of fixes were issued on Wednesday for security vulnerabilities in Thunderbird 45.6, a free email application offered by Mozilla, the company behind the Firefox web browser.

Three of the flaws were rated critical and six high. The open source, cross-platform email, news and chat client was developed by the company's parent organization, the Mozilla Foundation.

In its advisory, the company said the flaws were not exploitable through email in the Thunderbird app "because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts."

One critical upgrade, CVE-2016-9899, patches a flaw affecting "use-after-free while manipulating DOM events and removing audio elements due to errors in the handling of node adoption."

The other critical fix, CVE-2016-9893, addressed a number of memory safety bugs that showed evidence of memory corruption. Given enough effort, some of these vulnerabilities could be exploited to run arbitrary code, said Mozilla developers and community members involved.

Other flaws, rated high, might have enabled cross-domain data leakage (such as usernames embedded in JavaScript code, across websites) and exploitable crashes.