The Mozilla Foundation has released the web browser Firefox in version 126, the version with long-term support Firefox ESR in version 115.11 and the mail client Thunderbird based on it, also in version 115.11. The programmers have fixed some highly risky security leaks in all programs. New and improved functions have also been introduced.

According to the release notes, in Firefox the developers have, among other things, improved the “Copy link without website tracking” option. You can now also remove parameters from nested URLs. The programmers have also expanded support to more than 300 tracking parameters, for example from shopping sites.

Firefox now also uses zstd as a compression algorithm. This is an alternative to Broti and gzip that achieves less processor load with the same compression rate or higher compression rates with the same CPU usage. Mac users with Apple Silicon M3 can look forward to AV1 hardware acceleration when decoding.

Security fixes in Firefox

If you value privacy, you should use another standard search engine like DuckDuckGo, as the developers are now collecting telemetry data for around 20 search categories. Collection is done without attribution to users and via OHTTP to remove IP addresses as potentially identifiable data. The data should also not be shared with third parties.

The new version also closes security vulnerabilities. With several active WebRTC threads, they could try to request a newly connected audio device at the same time, which results in a use-after-free gap. Resources that have already been released by the program code are accessed again, but the memory contents are no longer defined. Attackers can often misuse such vulnerabilities to inject and execute malicious code (CVE-2024-4764, risk high according to developers). Missing type checking for fonts in PDF.js can lead to arbitrary Javascript code execution (CVE-2024-4367, high). The security notice for Firefox 126 lists nine additional vulnerabilities of medium threat level in older versions of Firefox, as well as five vulnerabilities that were classified as low risk. Updates in Thunderbird and Firefox ESR 115.11.

The risky vulnerability in the type checking of fonts in PDF.js also affects Firefox ESR and Thunderbird 115.11, whose security notices list the identical vulnerabilities. The new versions seal five additional security holes of medium severity.

The release notes for Thunderbird 115.11 are short. The mouse-dragable separator between the task list and the task description did not behave as expected. In addition, the rows for participants in a calendar event were the wrong size.

Try a version check

In the version dialog you can find out whether the updated software versions are already running with the security fixes. The dialog can be accessed via the browser menu, which is located to the right of the address bar after clicking on the symbol with the three lines on top of each other. It opens under Help - About Firefox or About Thunderbird.

If an update is available, this also triggers the update process. At the end, the dialog also asks for the necessary restart in order to activate the new software version. Under Linux, the distribution's software management is usually responsible for this.

In April , the Mozilla developers released version 125 of the Firefox web browser. The developers fixed at least 15 security vulnerabilities. But expanded and improved functions were also part of the update.