USN-2993-1: Firefox vulnerabilities

Christian Holler, Gary Kwong, Jesse Ruderman, Tyson Smith, Timothy Nikkel,
Sylvestre Ledru, Julian Seward, Olli Pettay, Karl Tomlinson, Christoph
Diehl, Julian Hector, Jan de Mooij, Mats Palmgren, and Tooru Fujisawa
discovered multiple memory safety issues in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service via application
crash, or execute arbitrary code. (CVE-2016-2815, CVE-2016-2818)

A buffer overflow was discovered when parsing HTML5 fragments in some
circumstances. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to cause a denial of
service via application crash, or execute arbitrary code. (CVE-2016-2819)

A use-after-free was discovered in contenteditable mode in some
circumstances. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to cause a denial of
service via application crash, or execute arbitrary code. (CVE-2016-2821)

Jordi Chancel discovered a way to use a persistent menu within a element and place this in an arbitrary location. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to spoof the addressbar contents. (CVE-2016-2822) Armin Razmdjou that the location.host property can be set to an arbitrary string after creating an invalid data: URI. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to bypass some same-origin protections. (CVE-2016-2825) A use-after-free was discovered when processing WebGL content in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code. (CVE-2016-2828) Tim McCormack discovered that the permissions notification can show the wrong icon when a page requests several permissions in quick succession. An attacker could potentially exploit this by tricking the user in to giving consent for access to the wrong resource. (CVE-2016-2829) It was discovered that a pointerlock can be created in a fullscreen window without user consent in some circumstances, and this pointerlock cannot be cancelled without quitting Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service or conduct clickjacking attacks. (CVE-2016-2831) John Schoenick discovered that CSS pseudo-classes can leak information about plugins that are installed but disabled. An attacker could potentially exploit this to fingerprint users. (CVE-2016-2832) Matt Wobensmith discovered that Content Security Policy (CSP) does not block the loading of cross-domain Java applets when specified by policy. An attacker could potentially exploit this to bypass CSP protections and conduct cross-site scripting (XSS) attacks. (CVE-2016-2833) In addition, multiple unspecified security issues were discovered in NSS. (CVE-2016-2834)

---

Show more Show less Update instructions After a standard system update you need to restart Firefox to make all the necessary changes. Learn more about how to get the fixes. The problem can be corrected by updating your system to the following package versions: Ubuntu Release Package Version 16.04 xenial firefox –  47.0+build3-0ubuntu0.16.04.1 15.10 wily firefox –  47.0+build3-0ubuntu0.15.10.1 14.04 trusty firefox –  47.0+build3-0ubuntu0.14.04.1 12.04 precise firefox –  47.0+build3-0ubuntu0.12.04.1

---

Reduce your security exposure Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines. Get Ubuntu Pro References CVE-2016-2834 CVE-2016-2833 CVE-2016-2832 CVE-2016-2831 CVE-2016-2829 CVE-2016-2828 CVE-2016-2825 CVE-2016-2822 CVE-2016-2821 CVE-2016-2819 CVE-2016-2834 CVE-2016-2833 CVE-2016-2832 CVE-2016-2831 CVE-2016-2829 CVE-2016-2828 CVE-2016-2825 CVE-2016-2822 CVE-2016-2821 CVE-2016-2819 CVE-2016-2818 CVE-2016-2815

---

Show 2 more references Show less references Related notices USN-3029-1 USN-3023-1 USN-3029-1 USN-3023-1

---

Have additional questions? Talk to a member of the team ›

---

OpenStack OpenStack What is OpenStack Features Managed Consulting Install Support

---

Ceph Ceph What is Ceph Managed Consulting Docs Install

---

Kubernetes Kubernetes What is Kubernetes Managed Install Docs Resources

---

Managed Services Managed Services OpenStack Kubernetes Ceph Apps Firefighting

---

AI / ML AI / ML MLOps Kubeflow MLflow Consulting Data Science MLOps workshop

---

Robotics Robotics ROS ESM What is ROS Community Docs

---

IoT IoT App store Embedded Linux Management

---

Ubuntu Core Ubuntu Core Features Success stories Services Docs

---

Ubuntu Desktop Ubuntu Desktop Organizations Developers Flavors WSL

---

Ubuntu Server Ubuntu Server Hyperscale Docs

---

Cloud Cloud What is cloud computing What is private cloud What is hybrid cloud What is multi-cloud Public cloud

---

Security Security Platform Security ESM Livepatch Security standards CVEs Notices Assurances

---

Landscape Landscape Features Managed Compare Install Docs Log in to Landscape

---

Containers Containers What are containers Chiseled Ubuntu Chiseled and .NET Container Build Service

---

Downloads Downloads Desktop Server Core Cloud

---

Support Support Your subscriptions Account users Pricing Discourse

---

Pricing Pricing Desktops Devices

---

Solutions AI Data Infrastructure Managed IT services Open source security IoT and devices Cloud native development

---

Sectors Automotive Industrial Public sector Telco Finance

---

Contact us About us Community Careers Blog Resources Press centre .twitter-icon { fill: #666666; } .cls-2 { fill: #e5e5e5; } .facebook-icon { fill: #666666; } .cls-2 { fill: #fff; } .linkedin-icon { fill: #666666; } .cls-2 { fill: #fff; } .instagram-icon { fill: #666666; } .cls-2 { fill: #fff; } .rss-icon { fill: #666666; } .cls-2 { fill: #E5E5E5; }

---

© 2025 Canonical Ltd. Ubuntu and Canonical are registered trademarks of Canonical Ltd.

---

Legal information Data privacy Manage your tracker settings Report a bug on this site Back to top Go to the top of the page