published Firefox corrective issues 100.0.2, Firefox ESR 91.9.1 and Thunderbird 91.9. 1 with the correction of two vulnerabilities, which are assigned a critical level of danger. At the PWN2WN 2022 , a working exploit that allowed a specially designed page to get around the Sandbox insulation and execute the code in the passing into these days. system. The author of the exploit was awarded a bonus of 100 thousand dollars.
The first vulnerability (CVE-2022-1802) is present in the implementation of the AWAIT operator and allows you to achieve damage to the methods in the object Array through changing Prototype properties (” Prototype Pollution “). The second vulnerability (CVE-2022-1529) makes it possible to change the Prototype property when processing unverified data while indexing JavaScript objects. Vulnerabilities allow you to perform a JavaScript code in a privileged parental process.