Backport ESR 102.5 security fixes to 91.13-based Tor Browser

Advisories: https://www.mozilla.org/en-US/security/advisories/mfsa2022-48/

CVE-2022-45403: Service Workers might have learned size of cross-origin media files

• https://bugzilla.mozilla.org/show_bug.cgi?id=1762078

CVE-2022-45404: Fullscreen notification bypass

• https://bugzilla.mozilla.org/show_bug.cgi?id=1790815

CVE-2022-45405: Use-after-free in InputStream implementation

• https://bugzilla.mozilla.org/show_bug.cgi?id=1791314

CVE-2022-45406: Use-after-free of a JavaScript Realm

• https://bugzilla.mozilla.org/show_bug.cgi?id=1791975

CVE-2022-45408: Fullscreen notification bypass via windowName

• https://bugzilla.mozilla.org/show_bug.cgi?id=1793829

CVE-2022-45409: Use-after-free in Garbage Collection

• https://bugzilla.mozilla.org/show_bug.cgi?id=1796901

CVE-2022-45410: ServiceWorker-intercepted requests bypassed SameSite cookie policy

• https://bugzilla.mozilla.org/show_bug.cgi?id=1658869

CVE-2022-45411: Cross-Site Tracing was possible via non-standard override headers

• https://bugzilla.mozilla.org/show_bug.cgi?id=1790311

CVE-2022-45412: Symlinks may resolve to partially uninitialized buffers

• https://bugzilla.mozilla.org/show_bug.cgi?id=1791029

CVE-2022-45416: Keystroke Side-Channel Leakage

• https://bugzilla.mozilla.org/show_bug.cgi?id=1793676

CVE-2022-45418: Custom mouse cursor could have been drawn over browser UI

• https://bugzilla.mozilla.org/show_bug.cgi?id=1795815
  • too much code churn over the past 1.5 years to apply

CVE-2022-45420: Iframe contents could be rendered outside the iframe

• https://bugzilla.mozilla.org/show_bug.cgi?id=1792643

CVE-2022-45421: Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5

• https://bugzilla.mozilla.org/show_bug.cgi?id=1794061
  • too much code churn to apply
• https://bugzilla.mozilla.org/show_bug.cgi?id=1767920
• https://bugzilla.mozilla.org/show_bug.cgi?id=1789808