Mercury icon indicating copy to clipboard operation
Mercury copied to clipboard
verified publisher icon Alex313031

Firefox Zero-day (CVE-2024-9680)

Open ThatBigDerp opened this issue 1 year ago • 17 comments

Recently Firefox patched the CVE-2024-9680 zero-day in the following versions:

  • Firefox 131.0.2
  • Firefox ESR 128.3.1
  • Firefox ESR 115.16.1

Currently Mercury is based on Firefox 192.0.02 which means it's vulnerable. My suggestion is due to low update activity to switch to Firefox's ESR release due to their slower, but more stable release cycle also reducing the need for you to update Mercury, if not at least update the browser to the latest Firefox version with the vulnerabilities patched, because according to Mozilla the vulnerability is already being exploited.

ThatBigDerp avatar Oct 11 '24 03:10 ThatBigDerp

We will update as quickly as possible, but the disclosed vulnerabilities do not immediately put your device at risk.

gz83 avatar Oct 11 '24 05:10 gz83

It's been 1 month

ridwanpr avatar Nov 04 '24 22:11 ridwanpr

Update: It's been confirmed it is being exploited in the wild.

i-georgiev28 avatar Nov 26 '24 17:11 i-georgiev28

So...

B83C avatar Dec 06 '24 14:12 B83C

Oct 11, 'as quick as possible'. December 9...

sbrwlf avatar Dec 09 '24 02:12 sbrwlf

Hello, after three months the urge to get the latest version is slowly rising.

garfieldairlines avatar Dec 11 '24 12:12 garfieldairlines

im still waiting, for now i temporarily use Firefox mainline

ajaxnotmeta avatar Dec 22 '24 13:12 ajaxnotmeta

Latest update to my system purged this from existence as it should

sbrwlf avatar Dec 31 '24 04:12 sbrwlf

FYI Arch repos are now just a redirect to plain firefox due to this

garfieldairlines avatar Dec 31 '24 11:12 garfieldairlines

^ This is the way 👌

sbrwlf avatar Dec 31 '24 22:12 sbrwlf

Oct 11, 'as quick as possible'. December 9...

The developers of these projects have a noticeable tendency to release updates at a very slow pace. For instance, the Thorium project took an extremely long time to resolve an issue related to profiles, which then came back again and they took an extremely long time to resolve it again. It seems that their definition of releasing updates "as quickly as possible" differs significantly from what users with common sense might expect. I use both Thorium and Mercury on a daily basis, and I'm finding myself frustrated with their unreliability and with how many CVEs they might have due to the extremely long timespan between updates. This is not just slow updates, this is extremely slow updates. I am seriously considering making a switch to Firefox for both my Windows and Linux systems. Firefox has consistently proven to be much much more dependable and timely with updates. This is just from an user's perspective and I do not intend to offend anyone.

To clarify even further, I don't believe rebasing should be considered an issue in this context. We are dealing with a critical CVE with a severity score of 9.8 that requires -> immediate <- attention. The assertion that it was being addressed "as quickly as possible" only led to confusion. Additionally, the fact that Arch repositories now redirect to regular Firefox when you try to install Mercury should be significant to you.

SheMelody avatar Jan 11 '25 12:01 SheMelody

While developers' efforts are appreciated, please consider officially discontinuing this project because of the difficulty of keeping it up to date. Efforts could then be concentrated on Thorium. Old binaries should also be taken offline to guard against known and yet to be discovered vulnerabilities. This would be in the best interest of users.

xiota avatar Jan 11 '25 19:01 xiota

agreed, this project should be taken down, it's dangerous

sbrwlf avatar Jan 11 '25 20:01 sbrwlf

can someone do something? i mean pull request or something to help dev? i mean, its kinda shame if this porject was closed/taken down, and despite i want to do it, i dont have any idea how to do such thing

ajaxnotmeta avatar Jan 12 '25 09:01 ajaxnotmeta

I just switched to Firefox Nightly, I really can't be bothered waiting anymore for a massively dangerous CVE to be solved. Also uninstalled Thorium just in case.

SheMelody avatar Jan 15 '25 11:01 SheMelody

Still no updates? Are you alive?

SheMelody avatar Feb 07 '25 11:02 SheMelody

old mate got sucked into a vortex of doom

sbrwlf avatar Feb 07 '25 19:02 sbrwlf

This is plain negligence; ESR 140 was released by Mozilla, https://www.theregister.com/2025/06/24/firefox_140_esr/ If the author can't find time, it would be better to just deprecate the project after commenting why in the README.md.

I'll be looking for a more updated, sanitised, Firefox; but I'd loath to go back to Librewolf, because of their debased nonsense.

https://github.com/CYFARE/HellFire looks a possible alternative, because it has recent updates, and alleges it is even faster than Mercury too! See https://github.com/CYFARE/HellFire/releases/tag/v141.0a1_FP1, released last week.

https://github.com/HeXis-YS/firefox-vanilla looks a less possible alternative, because they are slower at providing updates.

https://github.com/yokoffing/BetterFox maybe useful if one of these forks didn't at least use similar sanitisation methods.

https://floorp.app/en-US is not the same thing, so won't be my main browser.

I do use Brave for some stuff, however some extensions, I use a lot, are not available for it, e.g. PassFF and its JS Mozilla service, which I use on Linux with QtPass.

rwperrott avatar Jun 25 '25 02:06 rwperrott