Mozilla component versions are getting old
Our security team performed a routine scan of the installation package for windows, and they are noting that a number of the Mozilla (Firefox) components are from the 140.10.0 timeline and that 152.0.2 is the latest. A number of files are associated high CVSS score of 10.
How often are the Mozilla components updated and refreshed to the latest version? Can we expect another uplift to address concerns of the outdated Mozilla potentially reaching out to a compromised destination resulting in an attacker gaining a foothold on the users PC?
Since Zotero routinely checks references from a number of third-party sources I don't think it is safe to assume they would never become compromised.
How often are the Mozilla components updated and refreshed to the latest version? Can we expect another uplift to address concerns of the outdated Mozilla potentially reaching out to a compromised destination resulting in an attacker gaining a foothold on the users PC?
Since Zotero routinely checks references from a number of third-party sources I don't think it is safe to assume they would never become compromised.
Upgrade Storage
The Zotero betas for macOS and Linux have been based on 140.11.0 since May. Updating Firefox for Windows builds currently requires a lot more effort, so those aren't always updated as quickly, but the latest Zotero beta is now based on 140.12.0 for all three platforms. If no problems are found, we'll put out a Zotero 9 release based on that in a few days. We don't assume that, but the vast majority of Firefox security flaws are unlikely to be exploitable in Zotero. Most outgoing requests in Zotero are not actual browser loads, where most vulnerabilities would be, and are simply basic HTTP requests against known domains. There's almost no chance that, say, a DOI lookup against doi.org would ever be a security vulnerability. There are some areas that could theoretically be more likely to be exploitable, and the number of bugs fixed in each ESR dot release has been growing due to AI, which is why we do aim to update the Firefox base regularly (and we're working to make updating Firefox on Windows easier so we can get new builds out faster), but real exploits are still extremely unlikely for most users.
Regards