Can anyone confirm if dom.animations-api.timelines.enabled=false fixes CVE-2024-9680?
It's so utterly stupid that infosec press is all "update to latest shit from vendor" rather than "here's how to turn off the useless feature nobody asked for that the vulnerability is in".
If my proposed about:config mitigation doesn't work, I guarantee there's an extension based approach that blocks access to the vulnerable API in any version of the browser rather than requiring accepting whatever new version is offered.
@dalias Especially now that Mozilla has made it clear that any version can undo your privacy settings or introduce new horrors.
@chrisg Yes. Given the direction the Mozilla org is taking, automatic updates or updates without critical review are a non starter.
@dalias I've been outsourcing my critical review to @librewolf for the last few releases.
Librewolf is essentially doing to Firefox what the Mozilla Suite did to Netscape 20 years ago: providing the same tool but minus all the corporate garbage.