From: jj4public@gmail.com   
      
   On Sat, 3 Jan 2026 09:48:17 -0600, VanguardLH wrote:   
   >   
   > What I couldn't tell from the CVE reports mentioned by Shadow is whether   
   > or not the memory reuse vulnerability was in Javascript interpreter in   
   > Firefox, as Shadow and yeti surmised rather blindly, or in some other   
   > part of Firefox.  As you say, disabling Javascript in web docs won't   
   > affect Javascript employed elsewhere.  Plus, the CVEs only mention some   
   > memory pointer reuse, and never mentioned Javascript at all nor the   
   > vulnerability was only within the scope of Javascript employed in   
   > malicious web docs.   
      
   It's likely both. Disability API requires JS to access, and memory   
   management is beyond the reach of JS code.   
      
   The first CVE may be a bug in Disability API object destruction routine. The   
   second CVE may be a long standing bug in Firefox's general memory   
   management.   
      
   I always suspect that, Firefox's memory management has a problem which kept   
   piling up little by little getting ready to blow up. If you use Firefox as   
   your main browser, you might be aware of its long standing memory leak   
   problem. Most notably, when browsing search results and accessing result   
   items back and forth in Google Maps.   
      
   > With uBlock Origin still usable in Firefox, you could define it to block   
   > 3rd-party scripts, but not 1st-party scripts.   
      
   IMO, the uBlock Origin's colored filter UI design is flawed. We have to   
   block the domain name in order to block 1st party scripts of the current   
   site. The "1st-party" setting alone doesn't do anything. I kept the old   
   uMatrix (also based on uBlock) along side uBlock Origin, since it provides   
   much finer control on this matter. I only use uBlock for URL based filter.   
      
   > I also used to block 3rd-party web fonts which   
   > allow the font foundaries (most Google) to track where you visited,   
   > perhaps even which page, when you visited, and how often.  Problem was   
   > the pages could get rather difficult to figure out what a placeholder   
   > icon would do when clicked on unless I dug into code, and that's way too   
   > much trouble.   
      
   That! I hate that too. Moreover most sites which use them for icons, they   
   only need less than 25% of the font characters. Wasting more resources than   
   what they try to save. The final result has bigger waste ratio.   
      
   > but when I go there it says I need to login.  I also went to   
   > bugzilla.mozilla.org to search on 2000597, but got the same denial.  I   
   > can do a search to find bug tickets without logging in, but not this one   
   > nor 1996570 or 1999700 for the other CVE.  If you can login, do those   
   > bug tickets report the Javascript engine is the culprit when a web doc's   
   > script or Firefox uses the Disability API?   
      
   The details of crucial bugs are usually kept confidential or at least have   
   strict public access to prevent it from being misused.   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)