Package Instance

Mozilla developers and community identified and fixed several memory safety
bugs in the browser engine used in Firefox and other Mozilla-based products.
Some of these bugs showed evidence of memory corruption under certain
circumstances, and we presume that with enough effort at least some of these
could be exploited to run arbitrary code.In general these flaws cannot be exploited through email in the
Thunderbird product because scripting is disabled, but are potentially a risk in
browser or browser-like contexts.

Security researcher Xiaofeng Zheng of the Blue Lotus Team at
Tsinghua University reported reported that a Web Proxy returning a 407 Proxy
Authentication response with a Set-Cookie header could inject
cookies into the originally requested domain. This could be used for
session-fixation attacks. This attack only allows cookies to be written but does
not allow them to be read. 
In general this flaw cannot be exploited through email in the
Thunderbird product, but is potentially a risk in browser or browser-like
contexts.

Security researcher Muneaki Nishimura reported that
navigator.sendBeacon() does not follow the cross-origin resource
sharing (CORS) specification. This results in the request from
sendBeacon() lacking an origin header in violation of
the W3C Beacon specification and not
being treated as a CORS request. This allows for a potential Cross-site request
forgery (XSRF) attack from malicious websites.
In general this flaw cannot be exploited through email in the
Thunderbird product because scripting is disabled, but is potentially a risk in
browser or browser-like contexts.