{"affected":[{"ecosystem_specific":{"binaries":[{"libmozjs-128-0":"128.14.0-160000.1.1","mozjs128":"128.14.0-160000.1.1","mozjs128-devel":"128.14.0-160000.1.1"}]},"package":{"ecosystem":"openSUSE:Leap 16.0","name":"mozjs128","purl":"pkg:rpm/opensuse/mozjs128&distro=openSUSE%20Leap%2016.0"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"128.14.0-160000.1.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for mozjs128 fixes the following issues:\n\n- Update to version 128.14.0 (bsc#1248162):\n  + CVE-2025-9179: Sandbox escape due to invalid pointer in the\n    Audio/Video: GMP component\n  + CVE-2025-9180: Same-origin policy bypass in the Graphics:\n    Canvas2D component\n  + CVE-2025-9181: Uninitialized memory in the JavaScript Engine\n    component\n  + CVE-2025-9185: Memory safety bugs fixed in Firefox ESR 115.27,\n    Firefox ESR 128.14, Thunderbird ESR 128.14, Firefox ESR 140.2,\n    Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142\n\n- Update to version 128.13.0:\n  + CVE-2025-8027: JavaScript engine only wrote partial return\n    value to stack\n  + CVE-2025-8028: Large branch table could lead to truncated\n    instruction\n  + CVE-2025-8029: javascript: URLs executed on object and embed\n    tags\n  + CVE-2025-8030: Potential user-assisted code execution in “Copy\n    as cURL” command\n  + CVE-2025-8031: Incorrect URL stripping in CSP reports\n  + CVE-2025-8032: XSLT documents could bypass CSP\n  + CVE-2025-8033: Incorrect JavaScript state machine for\n    generators\n  + CVE-2025-8034: Memory safety bugs fixed in Firefox ESR 115.26,\n    Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1,\n    Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141\n  + CVE-2025-8035: Memory safety bugs fixed in Firefox ESR 128.13,\n    Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR\n    140.1, Firefox 141 and Thunderbird 141\n\n- Update to version 128.12.0:\n  + CVE-2025-6424: Use-after-free in FontFaceSet\n  + CVE-2025-6425: The WebCompat WebExtension shipped with Firefox\n    exposed a persistent UUID\n  + CVE-2025-6426: No warning when opening executable terminal\n    files on macOS\n  + CVE-2025-6429: Incorrect parsing of URLs could have allowed\n    embedding of youtube.com\n  + CVE-2025-6430: Content-Disposition header ignored when a file\n    is included in an embed or object tag\n\n- Update to version 128.11.0:\n  + CVE-2025-5283: Double-free in libvpx encoder\n  + CVE-2025-5263: Error handling for script execution was\n    incorrectly isolated from web content\n  + CVE-2025-5264: Potential local code execution in “Copy as cURL”\n    command\n  + CVE-2025-5265: Potential local code execution in “Copy as cURL”\n    command\n  + CVE-2025-5266: Script element events leaked cross-origin\n    resource status\n  + CVE-2025-5267: Clickjacking vulnerability could have led to\n    leaking saved payment card details\n  + CVE-2025-5268: Memory safety bugs fixed in Firefox 139,\n    Thunderbird 139, Firefox ESR 128.11, and Thunderbird 128.11\n  + CVE-2025-5269: Memory safety bug fixed in Firefox ESR 128.11\n    and Thunderbird 128.11\n","id":"openSUSE-SU-2025-20135-1","modified":"2025-12-03T20:41:04Z","published":"2025-12-03T20:41:04Z","references":[{"type":"ADVISORY","url":null},{"type":"REPORT","url":"https://bugzilla.suse.com/1248162"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-5263"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-5264"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-5265"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-5266"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-5267"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-5268"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-5269"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-5283"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-6424"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-6425"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-6426"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-6429"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-6430"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-8027"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-8028"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-8029"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-8030"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-8031"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-8032"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-8033"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-8034"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-8035"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-9179"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-9180"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-9181"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-9185"}],"related":["CVE-2025-5263","CVE-2025-5264","CVE-2025-5265","CVE-2025-5266","CVE-2025-5267","CVE-2025-5268","CVE-2025-5269","CVE-2025-5283","CVE-2025-6424","CVE-2025-6425","CVE-2025-6426","CVE-2025-6429","CVE-2025-6430","CVE-2025-8027","CVE-2025-8028","CVE-2025-8029","CVE-2025-8030","CVE-2025-8031","CVE-2025-8032","CVE-2025-8033","CVE-2025-8034","CVE-2025-8035","CVE-2025-9179","CVE-2025-9180","CVE-2025-9181","CVE-2025-9185"],"summary":"Security update for mozjs128","upstream":["CVE-2025-5263","CVE-2025-5264","CVE-2025-5265","CVE-2025-5266","CVE-2025-5267","CVE-2025-5268","CVE-2025-5269","CVE-2025-5283","CVE-2025-6424","CVE-2025-6425","CVE-2025-6426","CVE-2025-6429","CVE-2025-6430","CVE-2025-8027","CVE-2025-8028","CVE-2025-8029","CVE-2025-8030","CVE-2025-8031","CVE-2025-8032","CVE-2025-8033","CVE-2025-8034","CVE-2025-8035","CVE-2025-9179","CVE-2025-9180","CVE-2025-9181","CVE-2025-9185"]}