Bugzilla

### Beta/Release Uplift Approval Request
* **User impact if declined**: We introduced an API in 115, with unwanted behavior that exposes a storage.session events to content scripts.  This new area is stored in memory, and is often used for decrypted data, such as password manager vaults.  While this isn't a vulnerability in itself, it expands a potential attack surface if another part of the browser (or extension) is compromised.
* **Is this code covered by automated tests?**: Yes
* **Has the fix been verified in Nightly?**: Yes
* **Needs manual test from QE?**: No
* **If yes, steps to reproduce**: 
* **List of other uplifts needed**: None
* **Risk to taking this patch**: Low
* **Why is the change risky/not risky? (and alternatives if risky)**: One additional condition in code that's well understood and not particularly complicated.
* **String changes made/needed**: none
* **Is Android affected?**: Yes

### ESR Uplift Approval Request
* **If this is not a sec:{high,crit} bug, please state case for ESR consideration**: Because of the long lifetime of 115 ESR, the potential for an exploit to use this bug to compromise user's data is higher.
* **User impact if declined**: Same as above.
* **Fix Landed on Version**: 117
* **Risk to taking this patch**: Low
* **Why is the change risky/not risky? (and alternatives if risky)**: Same.

### Beta/Release Uplift Approval Request
* **User impact if declined**: We introduced an API in 115, with unwanted behavior that exposes storage.session events to content scripts.  This new area is stored in memory, and often used for decrypted data, such as password manager's vaults.  While this isn't a vulnerability in itself, it expands the potential attack surface if another part of the browser (or extension) is compromised.
* **Is this code covered by automated tests?**: Yes
* **Has the fix been verified in Nightly?**: Yes
* **Needs manual test from QE?**: No
* **If yes, steps to reproduce**: 
* **List of other uplifts needed**: None
* **Risk to taking this patch**: Low
* **Why is the change risky/not risky? (and alternatives if risky)**: One additional condition in code that's well understood and not particularly complicated.
* **String changes made/needed**: none
* **Is Android affected?**: Yes

### ESR Uplift Approval Request
* **If this is not a sec:{high,crit} bug, please state case for ESR consideration**: Because of the long lifetime of ESR, the potential for an exploit to use this bug to compromise user's data is higher.
* **User impact if declined**: Same as above.
* **Fix Landed on Version**: 117
* **Risk to taking this patch**: Low
* **Why is the change risky/not risky? (and alternatives if risky)**: Same.

### Beta/Release Uplift Approval Request
* **User impact if declined**: We introduced an API in 115, with unwanted behavior that exposes storage.session events to content scripts.  This new area is stored in memory, and often used for decrypted data, such as password manager's vaults.  While this isn't a vulnerability in itself, it expands the potential attack surface if another part of the browser (or extension) is compromised.
* **Is this code covered by automated tests?**: Yes
* **Has the fix been verified in Nightly?**: Yes
* **Needs manual test from QE?**: No
* **If yes, steps to reproduce**: 
* **List of other uplifts needed**: None
* **Risk to taking this patch**: Low
* **Why is the change risky/not risky? (and alternatives if risky)**: One additional condition in code that's well understood and not particularly complicated.
* **String changes made/needed**: none
* **Is Android affected?**: Yes

### ESR Uplift Approval Request
* **If this is not a sec:{high,crit} bug, please state case for ESR consideration**: Because of the long lifetime of ESR, the potential for an exploit to use this bug to compromise user's data is higher.
* **User impact if declined**: Same as above.
* **Fix Landed on Version**: 117
* **Risk to taking this patch**: Low
* **Why is the change risky/not risky? (and alternatives if risky)**: Same as above, this code hasn't changes since 115.