Mozilla component versions are getting old

Our security team performed a routine scan of the installation package for windows, and they are noting that a number of the Mozilla (Firefox) components are from the 140.10.0 timeline and that 152.0.2 is the latest. A number of files are associated high CVSS score of 10.

How often are the Mozilla components updated and refreshed to the latest version? Can we expect another uplift to address concerns of the outdated Mozilla potentially reaching out to a compromised destination resulting in an attacker gaining a foothold on the users PC?

Since Zotero routinely checks references from a number of third-party sources I don't think it is safe to assume they would never become compromised.
  • dstillman Zotero Team
    a number of the Mozilla (Firefox) components are from the 140.10.0 timeline and that 152.0.2 is the latest
    That's not quite accurate. Zotero is built on Firefox ESR versions, so the latest is 140.12.0. 140.10.0 ESR already incorporates security fixes through Firefox 150 from April.

    The Zotero betas for macOS and Linux have been based on 140.11.0 since May. Updating Firefox for Windows builds currently requires a lot more effort, so those aren't always updated as quickly, but the latest Zotero beta is now based on 140.12.0 for all three platforms. If no problems are found, we'll put out a Zotero 9 release based on that in a few days.
    Since Zotero routinely checks references from a number of third-party sources I don't think it is safe to assume they would never become compromised.
    We don't assume that, but the vast majority of Firefox security flaws are unlikely to be exploitable in Zotero. Most outgoing requests in Zotero are not actual browser loads, where most vulnerabilities would be, and are simply basic HTTP requests against known domains. There's almost no chance that, say, a DOI lookup against doi.org would ever be a security vulnerability. There are some areas that could theoretically be more likely to be exploitable, and the number of bugs fixed in each ESR dot release has been growing due to AI, which is why we do aim to update the Firefox base regularly (and we're working to make updating Firefox on Windows easier so we can get new builds out faster), but real exploits are still extremely unlikely for most users.
  • Thanks for clarifying it is the ESR branch of Firefox. I guess under that timeline at least we're only a couple months old. I'll check back in a few days to see if I should send the next version out for packaging in our environment or stick with the current latest.

    Regards
Sign In or Register to comment.