Mozilla Firefox before 48.0 mishandles changes from 'INPUT type="password"' to 'INPUT type="text"' within a single Session Manager session, which might allow attackers to discover cleartext passwords by reading a session restoration file.
Mozilla Firefox en versiones anteriores a 48.0 no maneja correctamente cambios de 'INPUT type="password"' a 'INPUT type="text"' dentro de una sola sesión Session Manager, lo que podría permitir a atacantes descubrir contraseñas en texto plano mediante la lectura de un archivo de restauración de sesión.
Gustavo Grieco discovered an out-of-bounds read during XML parsing in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or obtain sensitive information. Toni Huttunen discovered that once a favicon is requested from a site, the remote server can keep the network connection open even after the page is closed. A remote attacker could potentially exploit this to track users, resulting in information disclosure. Various other issues were also addressed.
