Detections
Analytics

Mozilla Firefox ESR < 140.4

medium Nessus Plugin ID 270351

Language:

Synopsis

A web browser installed on the remote macOS or Mac OS X host is affected by multiple vulnerabilities.

Description

The version of Firefox ESR installed on the remote macOS or Mac OS X host is prior to 140.4. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2025-83 advisory.

 - A malicious page could have used the type attribute of an OBJECT tag to override the default browser behavior when encountering a web resource served without a content-type. This could have contributed to an XSS on a site that unsafely serves files without a content-type header. (CVE-2025-11712)

 - Use-after-free in MediaTrackGraphImpl::GetInstance() (CVE-2025-11708)

 - A compromised web process was able to trigger out of bounds reads and writes in a more privileged process using manipulated WebGL textures. (CVE-2025-11709)

 - A compromised web process using malicious IPC messages could have caused the privileged browser process to reveal blocks of its memory to the compromised process. (CVE-2025-11710)

 - There was a way to change the value of JavaScript Object properties that were supposed to be non- writeable. (CVE-2025-11711)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Mozilla Firefox ESR version 140.4 or later.

See Also

https://www.mozilla.org/en-US/security/advisories/mfsa2025-83/

Plugin Details

Severity: Medium

ID: 270351

File Name: macos_firefox_140_4_esr.nasl

Version: 1.1

Type: local

Agent: macosx

Published: 10/14/2025

Updated: 10/14/2025

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.2

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2025-11712

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:mozilla:firefox_esr

Required KB Items: MacOSX/Firefox/Version

Exploit Ease: No known exploits are available

Patch Publication Date: 10/14/2025

Vulnerability Publication Date: 10/14/2025

Reference Information

CVE: CVE-2025-11708, CVE-2025-11709, CVE-2025-11710, CVE-2025-11711, CVE-2025-11712, CVE-2025-11713, CVE-2025-11714, CVE-2025-11715