Bugzilla

### Security Approval Request
* **How easily could an exploit be constructed based on the patch?**: I am not sure. There are a number of ways that a new thread could be spawned via JS interaction, starting a desktop capture, starting a call etc. These uses have different thread names that are all, as far as I can tell, string literals. There is very little control over the inputs to that function. Investigating this by looking at the code is made difficult by: 1) the number of places this can be triggered in the library, when we probably only exercise a small subset of them, and 2) the number of layers of indirection and proxy classes within the library.
* **Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?**: Unknown
* **Which older supported branches are affected by this flaw?**: Firefox 53+, ESR 60, ESR 68
* **If not all supported branches, which bug introduced the flaw?**: None
* **Do you have backports for the affected branches?**: No
* **If not, how different, hard to create, and risky will they be?**: They should be trivial to create, apply, and are low risk.
* **How likely is this patch to cause regressions; how much testing does it need?**: Probably fairly low, as it is code that exists elsewhere in the tree. I have only tested this on my personal Windows 10-64bit machine, and have not pushed to try to test other Windows build targets.

### Security Approval Request
* **How easily could an exploit be constructed based on the patch?**: I am not sure. There are a number of ways that a new thread could be spawned via JS interaction, starting a desktop capture, starting a call etc. These uses have different thread names that are all, as far as I can tell, string literals. There is very little control over the inputs to that function. Investigating this by looking at the code is made difficult by: 1) the number of places this can be triggered in the library, when we probably only exercise a small subset of them, and 2) the number of layers of indirection and proxy classes within the library.
* **Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?**: Unknown
* **Which older supported branches are affected by this flaw?**:  all (this landed in FFx 53)
* **If not all supported branches, which bug introduced the flaw?**: None
* **Do you have backports for the affected branches?**: No
* **If not, how different, hard to create, and risky will they be?**: They should be trivial to create, apply, and are low risk.
* **How likely is this patch to cause regressions; how much testing does it need?**: Probably fairly low, as it is code that exists elsewhere in the tree. I have only tested this on my personal Windows 10-64bit machine, and have not pushed to try to test other Windows build targets.

### Security Approval Request
* **How easily could an exploit be constructed based on the patch?**: I am not sure. There are a number of ways that a new thread could be spawned via JS interaction, starting a desktop capture, starting a call etc. These uses have different thread names that are all, as far as I can tell, string literals. There is very little control over the inputs to that function. Investigating this by looking at the code is made difficult by: 1) the number of places this can be triggered in the library, when we probably only exercise a small subset of them, and 2) the number of layers of indirection and proxy classes within the library.
* **Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?**: Unknown
* **Which older supported branches are affected by this flaw?**:  all (this landed in FFx 53)
* **If not all supported branches, which bug introduced the flaw?**: None
* **Do you have backports for the affected branches?**: No
* **If not, how different, hard to create, and risky will they be?**: They should be trivial to create and apply, and they are low risk.
* **How likely is this patch to cause regressions; how much testing does it need?**: Probably fairly low, as it is code that exists elsewhere in the tree. I have only tested this on my personal Windows 10-64bit machine, and have not pushed to try to test other Windows build targets.