Mozilla has released Firefox 50. The latest update increases the benefits to users from multiple content processes, and fixes a dozen high impact security vulnerabilities.
Among the improvements in Firefox's latest release is further access to Electrolysis, Mozilla's functionality for rendering and executing web-related content in background processes, this is designed to improve the responsiveness and stability of the browser.
Also improved is performance for SDK extensions or extensions using the SDK module loader, along with extended support for pluginless video on more platforms, including WebM EME Support for Widevine.
Nick Nguyen, VP product for Firefox, told InfoQ that while Firefox 50 is "a relatively quiet release for the JavaScript engine" there are several notable important features.
Among the updates worth noting for JavaScript developers are sourcemap linking and stack traces for XHR and fetch() requests in the Web Console.
According to the corresponding MDN article what this means for developers is if their JavaScript sources are compressed, a source map can now be supplied. From there, any messages or errors generated by their source will show up in the Web Console, linking back to the original source.
Firefox 50 brings JavaScript developers implementation of the ES2015 Symbol.hasInstance
property, that "determines if a constructor object recognises an object as one of the constructor's instances."
In addition to this is the Object.getOwnPropertyDescriptors()
method that "returns a property descriptor for an own property (that is, one directly present on an object and not in the object's prototype chain) of a given object".
In the Mozilla Foundation Security Advisory 2016-89 12 separate High impact security vulnerabilities are fixed in Firefox 50, along with one critical vulnerability, issue CVE-2016-5296. The critical vulnerability reportedly was caused by "a heap-buffer-overflow in Cairo when processing SVG content caused by compiler optimisation, resulting in a potentially exploitable crash."
According to a security update from RedHat addressing the issue, "Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox."
Among the high impact vulnerabilities fixed are CVE-2016-9064, where add-on updates had failed to verify that the add-on ID inside the signed package matched the ID of the add-on being updated -- leaving users open to a "man-in-the-middle attack" on their connection, along with CVE-2016-9075 where a malicious web extension could use the mozAddonManager API to allow them to install additional extensions without permission.
Nguyen told InfoQ that all vulnerabilities "were found internally or responsibly disclosed," with there being "no known exploits" for any of them.
A full list of changes in version 50 is available in the release notes.
Mozilla welcome newcomers who want to be part of the Firefox project, and there are many ways that InfoQ readers can contribute to Firefox. A full list of options is available on the Mozilla Developer Network where Mozilla also publish a number of How To guides.