> All vulnerabilities require user interaction (processing a malicious PNG file)
What world is the author living in where PNGs aren't very frequently read and written with no user interaction. The web obviously displays PNGs with no prompt, sites can generate PNGs with canvas trivially and with no explicit permission. PNGs are also often displayed in notifications and may come from untrustworthy sources.
This feels like an irresponsible downplay of the severity.
I thought this initially too, but there's a comment on https://bugzilla.mozilla.org/show_bug.cgi?id=2001758#c5 that suggests a belief it doesn't affect Firefox at all. So I don't know if the surface for these is particularly obscure such that browsers are insulated?
What world is the author living in where PNGs aren't very frequently read and written with no user interaction. The web obviously displays PNGs with no prompt, sites can generate PNGs with canvas trivially and with no explicit permission. PNGs are also often displayed in notifications and may come from untrustworthy sources.
This feels like an irresponsible downplay of the severity.