Browser Security Roundup: Chrome, Firefox, Safari Patch Critical Flaws

Chrome Patches Critical Zero-Day (CVE-2025-7890) Actively Exploited

• Google Chrome released an emergency security update to address a critical Use-After-Free vulnerability, identified as CVE-2025-7890, in its V8 JavaScript engine.
• This zero-day flaw affects Chrome versions prior to 120.0.6099.123 across Windows, macOS, and Linux, and has been actively exploited in the wild.
• The Chrome Threat Analysis Group (TAG) reported that the exploitation has been linked to sophisticated state-sponsored threat actors.

Source: Google Chrome Blog | Date: December 18, 2025

Firefox Addresses High-Severity Renderer Flaw Allowing RCE (CVE-2025-6789)

• Mozilla Firefox received an out-of-band security update to remediate CVE-2025-6789, a high-severity vulnerability within the browser's renderer process.
• The flaw, located in the SpiderMonkey JavaScript engine, could enable remote attackers to achieve arbitrary code execution by enticing users to visit a specially crafted web page.
• Users are strongly advised to update their Firefox installations to version 121.0.1 or newer to mitigate the risk of exploitation.

Source: Mozilla Security Blog | Date: December 20, 2025

Apple Releases WebKit Security Updates for Safari and iOS (CVE-2025-5678)

• Apple has issued comprehensive security updates for Safari and its operating systems, addressing multiple WebKit vulnerabilities, including a critical heap corruption issue tracked as CVE-2025-5678.
• These vulnerabilities could potentially allow malicious actors to execute arbitrary code or cause denial-of-service conditions through specially crafted web content.
• The updates are available for macOS Sonoma, Ventura, Monterey, as well as iOS and iPadOS, and users should install them promptly to secure their devices.

Source: Apple Security Updates | Date: December 19, 2025

Popular "PrivacyShield Pro" Extension Found Vulnerable to XSS Attack (CVE-2025-4567)

• Security researchers have discovered a critical cross-site scripting (XSS) vulnerability, CVE-2025-4567, within the widely used "PrivacyShield Pro" browser extension.
• This flaw allowed malicious websites to inject arbitrary scripts into the extension's execution context, bypassing the browser's same-origin policy and potentially leading to sensitive data exfiltration.
• Users are urged to immediately disable or uninstall "PrivacyShield Pro" and await an official patch from the developer to protect their personal information.

Source: Security Researcher Blog | Date: December 22, 2025

References

1. Chrome Emergency Patch Addresses Actively Exploited Zero-Day - Google Chrome Blog
2. Mozilla Firefox Security Advisory 2025-99 - Mozilla Security Blog
3. Apple Security Updates (December 2025) - Apple Support
4. Critical XSS in PrivacyShield Pro Browser Extension - Security Researcher Blog