Log Message:
firefox128: update to 128.9.0

Mozilla Foundation Security Advisory 2025-22
Security Vulnerabilities fixed in Firefox ESR 128.9

Announced
    April 1, 2025
Impact
    high
Products
    Firefox ESR
Fixed in

        Firefox ESR 128.9

#CVE-2025-3028: Use-after-free triggered by XSLTProcessor

Reporter
    Ivan Fratric of Google Project Zero
Impact
    high

Description

JavaScript code running while transforming a document with the XSLTProcessor \ 
could lead to a use-after-free.
References

    Bug 1941002

#CVE-2025-3029: URL Bar Spoofing via non-BMP Unicode characters

Reporter
    Renwa Hiwa
Impact
    moderate

Description

A crafted URL containing specific Unicode characters could have hidden the true \ 
origin of the page, resulting in a potential spoofing attack.
References

    Bug 1952213

#CVE-2025-3030: Memory safety bugs fixed in Firefox 137, Thunderbird 137, \ 
Firefox ESR 128.9, and Thunderbird 128.9

Reporter
    Sylvestre Ledru, Paul Bone and the Mozilla Fuzzing Team
Impact
    high

Description

Memory safety bugs present in Firefox 136, Thunderbird 136, Firefox ESR 128.8, \ 
and Thunderbird 128.8. Some of these bugs showed evidence of memory corruption \ 
and we presume that with enough effort some of these could have been exploited \ 
to run arbitrary code.
References

    Memory safety bugs fixed in Firefox 137, Thunderbird 137, Firefox ESR 128.9, \ 
and Thunderbird 128.9