References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

Change History

https://github.com/zen-browser/desktop/security/advisories/GHSA-qpj9-m8jc-mw6q

Zen is a firefox-based browser. Prior to 1.19.9b, Zen Browser ships a Mozilla Application Resource (MAR) updater (org.mozilla.updater) that has had all MAR signature verification stripped from the Firefox codebase it was forked from. The MAR files served to users contain zero cryptographic signatures, and the updater binary contains zero cryptographic verification code. This eliminates the defense-in-depth that MAR signing provides. If the update server or GitHub release pipeline is compromised, arbitrary unsigned code can be delivered to all Zen users via the auto-update mechanism. This vulnerability is fixed in 1.19.9b.

AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE-347

https://github.com/zen-browser/desktop/commit/270db6d6713d2c6c14d9df0b4bc7662843d3d54e

https://github.com/zen-browser/desktop/security/advisories/GHSA-qpj9-m8jc-mw6q