How easily could an exploit be constructed based on the patch? Probably not easily. This is a really tight use-after-free on the heap, and no reproduction on the patch. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? No. No tests, the comment references perf, and no comments are changed in the patch Which older supported branches are affected by this flaw? All supported branches. The lines of code that effect this were added in 2018: https://hg.mozilla.org/mozilla-central/rev/2ab582bacc98fecfc3cc52b3f275a23ff40a683f If not all supported branches, which bug introduced the flaw? Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? No, but this is a one-line diff on a line last touched in Fx81. Naively applying this patch will work. How likely is this patch to cause regressions; how much testing does it need? Low risk. Equivalent line-for-line change on already tested code (gtest DOM_Base_ContentUtils.IsURIInList).
Bug 1873597 Comment 11 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
sec approval request was in the wrong text box. Whoops!