Open kittybwained opened 12 hours ago
looking at https://github.com/zen-browser/desktop/blob/main/surfer.json we can see Zen is currently build on Firefox 131.0
EDIT: The Patch version is not specified in this file. Whether this means 131.0.0 or the latest 131.0.X patch, I can't tell right now.
The Fix is in 131.0.2 - NOT as the issue states in 130.0.2 source: https://www.mozilla.org/en-US/security/advisories/mfsa2024-51/#CVE-2024-9680
I .2 release already?
The Fix is in 131.0.2 - NOT as the issue states in 130.0.2 source: https://www.mozilla.org/en-US/security/advisories/mfsa2024-51/#CVE-2024-9680
Oops! Terribly sorry. No idea how I missed that! Edited the issue.
Ill release today with firefox 131.0.2, dont worry! Just dont go to sketchy websites for a couple of hours
Captchas
What happened?
According to the README, Zen 1.0.1-a.7 is built on Firefox 131.0. There is a vulnerability in Firefox versions pre-131.0.2 that allows an attacker to achieve remote code execution. According to Mozilla, this vulnerability is already being exploited in the wild. Zen should upgrade to Firefox version 131.0.2, as it fixes this vulnerability.
Note: I have not done any testing to confirm that Zen is also vulnerable to this, but considering it's built on Firefox, and I doubt the Web Animations API was modified, it would be best to update.
Relevant links:
Reproducible?
Version
1.0.1-a.7
What platform are you seeing the problem on?
Linux, macOS - aarch64, macOS - Intel, Windows
Relevant log output
No response