Mageia: 2020-0427 Moderate: Firefox Cross-Origin Timing Attack Fix

When drawing a transparent image on top of an unknown cross-origin image, the Skia library drawImage function took a variable amount of time depending on the content of the underlying image. This resulted in potential cross-origin information exposure of image content through timing side-channel attacks (CVE-2020-16012).
A parsing and event loading mismatch in Firefox's SVG code could have allowed load events to fire, even after sanitization. An attacker already capable of exploiting an XSS vulnerability in privileged internal pages could have used this attack to bypass our built-in sanitizer (CVE-2020-26951).
It was possible to cause the browser to enter fullscreen mode without displaying the security UI; thus making it possible to attempt a phishing attack or otherwise confuse the user (CVE-2020-26953).
In some cases, removing HTML elements during sanitization would keep existing SVG event handlers and therefore lead to XSS (CVE-2020-26956).
Firefox did not block execution of scri...