Firefox 16 was pulled off Mozilla's installer page yesterday, just one day after its release, to fix a vulnerability that could have allowed a malicious site to identify which Web sites a user had visited, said Michael Coates, Mozilla's director of Security Assurance. The flaw was publicly disclosed yesterday by security researcher Gareth Heyes, who published proof-of-concept code to demonstrate the vulnerability.
Though Mozilla said it had no evidence that the vulnerability was being exploited in the wild, the company recommended that users who had upgraded to version 16 downgrade to version 15.0.1, which was deemed unaffected by the flaw.
At noon today, the new version -- Firefox 16.0.1 -- was released to Mozilla's upgrade servers and was pushed to users who had previously downloaded Firefox 16. A fix for the Android version of Firefox was released last night.
Mozilla also provided more information about the nature of the flaw, which it rated as critical.
"Mozilla security researcher 'moz_bug_r_a4' reported a regression where security wrappers are unwrapped without doing a security check in defaultValue()," Mozilla said in an accompanying advisory. "This can allow for improper access to the Location object. In versions 15 and earlier of affected products, there was also the potential for arbitrary code execution."
The new version of the Web browser landed Tuesday with support for HTML5, indicating that Mozilla has decided it has matured enough to run in the browser without causing instability. The new version includes CSS3 Animations; Transforms; Transitions; Image Values; Values and Units; and IndexedDB.