Mozilla has officially launched Firefox 137, introducing significant security enhancements and new functionalities aimed at improving user experience and system safety. This latest update addresses multiple high-severity vulnerabilities and introduces features such as automatic hyperlinking in PDFs and HEVC playback support on Linux systems.
Critical Security Vulnerabilities Addressed
Firefox 137 resolves several critical security issues that posed significant risks to users:
– CVE-2025-3028: A high-impact use-after-free vulnerability discovered by Ivan Fratric of Google Project Zero. This flaw could be exploited when JavaScript code executes during document transformation with the XSLTProcessor, potentially allowing attackers to execute arbitrary code on the victim’s system.
– CVE-2025-3030: A memory safety bug present in Firefox 136 and other Mozilla products. Identified by Sylvestre Ledru, Paul Bone, and the Mozilla Fuzzing Team, this vulnerability showed evidence of memory corruption and could potentially be exploited to run arbitrary code.
– CVE-2025-3034: Reported by Andrew McCreight and the Mozilla Fuzzing Team, this issue involved memory safety concerns in Firefox 136 and Thunderbird 136, particularly within the Just-In-Time (JIT) compiler and email processing modules.
Additional vulnerabilities addressed include:
– CVE-2025-3035: An issue where Firefox leaked document titles into chat prompts in versions prior to 137.
– CVE-2025-3029: A moderate-impact vulnerability involving URL bar spoofing using non-BMP Unicode characters, allowing crafted URLs to conceal the true origin of a webpage.
– CVE-2025-3031: A flaw where attackers could potentially read 32 bits of values spilled onto the stack in JIT-compiled functions.
– CVE-2025-3032: A vulnerability where file descriptors from the fork server could leak to web content processes, potentially enabling privilege escalation attacks.
These vulnerabilities collectively posed serious security risks, including denial of service, elevation of privilege, remote code execution, spoofing, and information disclosure.
New Features and Enhancements
Beyond security fixes, Firefox 137 introduces several user-centric features:
– Automatic Hyperlinking in PDFs: The browser now identifies all links within PDF documents and converts them into clickable hyperlinks, streamlining navigation and enhancing productivity.
– HEVC Playback Support on Linux: Linux users can now enjoy High Efficiency Video Coding (HEVC) playback, offering improved video quality and compression efficiency.
– Address Bar Calculator: The address bar doubles as a calculator; typing an arithmetic expression prompts Firefox to display the result in the drop-down, with an option to copy it to the clipboard.
– PDF Signing: Users can add signatures directly within Firefox, eliminating the need for external applications or online tools.
– MacOS Shortcut Update: Due to changes in MacOS Sequoia, the shortcut to auto-complete search strings to .com addresses has been updated from Ctrl+Enter to Cmd+Enter.
Developer Tools and Web Platform Enhancements
Firefox 137 also brings improvements for developers:
– Inspector Fonts Panel: Now displays metadata such as font version, designer, vendor, and license information.
– Network Panel: Allows overriding network request responses with local files, facilitating testing and debugging.
– SVG 2 Path API Support: Enables more sophisticated vector graphics in web pages.
– Hyphenate-Limit-Chars Property: Provides greater control over automatic hyphenation in text.
Recommendations
Given the critical nature of the vulnerabilities addressed, it is strongly recommended that all Firefox users update to version 137 immediately to ensure system security and benefit from the latest features.
