firefox-esr is vulnerable to arbitrary code execution. The vulnerability is possible because the cross-origin iframe referencing an XSLT document inheriting the parent domain’s permissions which allows an attacker to inject and execute arbitrary commands.
access.redhat.com/security/cve/CVE-2022-38473
bugzilla.mozilla.org/show_bug.cgi?id=1771685
security-tracker.debian.org/tracker/CVE-2022-38473
www.mozilla.org/security/advisories/mfsa2022-33/
www.mozilla.org/security/advisories/mfsa2022-34/
www.mozilla.org/security/advisories/mfsa2022-35/
www.mozilla.org/security/advisories/mfsa2022-36/
www.mozilla.org/security/advisories/mfsa2022-37/