Mozilla has officially released Firefox 140, a significant update that addresses multiple critical security vulnerabilities and introduces several new features aimed at improving user experience and browser performance. This release underscores Mozilla’s commitment to providing a secure and efficient browsing environment for its users.
Critical Security Vulnerabilities Addressed
One of the most pressing issues resolved in Firefox 140 is a high-impact use-after-free vulnerability identified as CVE-2025-6424. Discovered in the FontFaceSet component, this flaw could potentially allow attackers to execute arbitrary code on a victim’s system. The vulnerability was reported by security researchers LJP and HexRabbit from the DEVCORE Research Team. A use-after-free vulnerability occurs when a program continues to use memory after it has been freed, leading to memory corruption and possible exploitation. In this case, the flaw resided in Firefox’s font handling system, which manages web fonts and their loading operations. Exploitation of this vulnerability could result in a crash, providing an avenue for attackers to execute malicious code.
In addition to CVE-2025-6424, Firefox 140 addresses CVE-2025-6436, a collection of memory safety bugs that were present in previous versions of Firefox and Thunderbird. These vulnerabilities, reported by Mozilla’s internal security team, including Andrew McCreight, Gabriele Svelto, Beth Rennie, and the Mozilla Fuzzing Team, showed evidence of memory corruption. Memory safety issues, such as buffer overflows and double-free errors, can lead to arbitrary code execution if exploited. By resolving these issues, Mozilla enhances the overall security and stability of the browser.
Additional Security Enhancements
Firefox 140 also addresses several other security concerns:
– CVE-2025-6425: A moderate-impact vulnerability where the WebCompat WebExtension exposed a persistent UUID, potentially allowing user tracking across different browsing modes. This issue was identified by security researcher Rob Wu.
– CVE-2025-6426: A low-impact flaw affecting macOS users, where executable files with the terminal extension could open without proper warning dialogs, posing a risk of unintended software execution. Security researcher pwn2car reported this vulnerability.
– CVE-2025-6428: A vulnerability in Firefox for Android where the browser would incorrectly follow URLs specified in link query string parameters, potentially facilitating phishing attacks.
– CVE-2025-6431: An issue in Firefox for Android that allowed bypassing the external application prompt, exposing users to potential security risks in third-party applications.
Furthermore, the update includes fixes for Content Security Policy (CSP) bypass vulnerabilities, such as CVE-2025-6427 and CVE-2025-6430, which addressed issues related to subdocument manipulation and Content-Disposition header handling, respectively.
New Features and Enhancements
Beyond security fixes, Firefox 140 introduces several new features designed to enhance user experience:
– Vertical Pinned Tab Resizing: Users can now adjust the size of the pinned tabs section in the vertical tab layout. By dragging the divider, users can choose to display more or fewer pinned tabs, allowing for quicker access to important windows. ([mozilla.org](https://www.mozilla.org/firefox/notes?utm_source=openai))
– Memory Management for Inactive Tabs: A new Unload Tab option has been added to the tab context menu. This feature allows users to manually unload inactive tabs, freeing up system memory without closing the tabs. Unloaded tabs remain visible and are reloaded when selected again, functioning similarly to temporary bookmarks. ([mozilla.org](https://www.mozilla.org/firefox/notes?utm_source=openai))
– Simplified Addition of Custom Search Engines: Adding custom search engines is now more straightforward. Users can right-click on a search field of a supported website and select Add Search Engine to include it in their browser. Alternatively, users can manually enter custom search engines through the settings menu. ([mozilla.org](https://www.mozilla.org/firefox/notes?utm_source=openai))
– Reduced Clutter on New Tab Page: To minimize visual noise, Firefox 140 has removed descriptive text for recommended and sponsored stories on the New Tab page for some users. This change aims to provide a cleaner and more streamlined browsing experience. ([mozilla.org](https://www.mozilla.org/firefox/notes?utm_source=openai))
– Streamlined Translations: The on-device translation feature now prioritizes translating only the content visible on the screen, improving speed and reducing resource consumption. This enhancement ensures that translations are more efficient and responsive. ([mozilla.org](https://www.mozilla.org/firefox/notes?utm_source=openai))
– User-Defined Extension Management: Users now have the option to remove the extensions menu shortcut from the toolbar. This feature is particularly useful for those who do not use many add-ons, allowing for a more personalized and less cluttered interface. ([mozilla.org](https://www.mozilla.org/firefox/notes?utm_source=openai))
Developer-Focused Updates
Firefox 140 brings several updates beneficial to developers:
– Support for the CSS Custom Highlight API: This API allows developers to style arbitrary text ranges in a document, providing greater flexibility in web design. ([developer.mozilla.org](https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Releases/140?utm_source=openai))
– Uniform User Agent Styles for `
