diff --git a/CVE-2020-15673.patch b/CVE-2020-15673.patch
new file mode 100644
index 0000000000000000000000000000000000000000..875c6bc0efeb0aaaadf149f9ba6fe81274cbde26
--- /dev/null
+++ b/CVE-2020-15673.patch
@@ -0,0 +1,110 @@
+From ada473f61b5a35b894130cb1beac400d86811c34 Mon Sep 17 00:00:00 2001
+From: Simon Giesecke <sgiesecke@mozilla.com>
+Date: Fri, 28 Aug 2020 15:50:38 +0000 (2020-08-28)
+Subject: [PATCH] CVE-2020-15673
+
+---
+ dom/indexedDB/ActorsChild.cpp  | 26 +++++++++++++++++---------
+ dom/indexedDB/ActorsChild.h    |  2 ++
+ netwerk/base/nsStandardURL.cpp |  1 +
+ 3 files changed, 20 insertions(+), 9 deletions(-)
+
+diff --git a/dom/indexedDB/ActorsChild.cpp b/dom/indexedDB/ActorsChild.cpp
+index 6aa4e0dd97..e075bcc9e2 100644
+--- a/dom/indexedDB/ActorsChild.cpp
++++ b/dom/indexedDB/ActorsChild.cpp
+@@ -1045,18 +1045,18 @@ template <typename T>
+ class DelayedActionRunnable final : public CancelableRunnable {
+   using ActionFunc = void (T::*)();
+ 
+-  T* mActor;
++  SafeRefPtr<T> mActor;
+   RefPtr<IDBRequest> mRequest;
+   ActionFunc mActionFunc;
+ 
+  public:
+-  explicit DelayedActionRunnable(T* aActor, ActionFunc aActionFunc)
++  explicit DelayedActionRunnable(SafeRefPtr<T> aActor, ActionFunc aActionFunc)
+       : CancelableRunnable("indexedDB::DelayedActionRunnable"),
+-        mActor(aActor),
+-        mRequest(aActor->GetRequest()),
++        mActor(std::move(aActor)),
++        mRequest(mActor->GetRequest()),
+         mActionFunc(aActionFunc) {
+-    MOZ_ASSERT(aActor);
+-    aActor->AssertIsOnOwningThread();
++    MOZ_ASSERT(mActor);
++    mActor->AssertIsOnOwningThread();
+     MOZ_ASSERT(mRequest);
+     MOZ_ASSERT(mActionFunc);
+   }
+@@ -2917,6 +2917,13 @@ BackgroundCursorChild<CursorType>::~BackgroundCursorChild() {
+   MOZ_COUNT_DTOR(indexedDB::BackgroundCursorChild<CursorType>);
+ }
+ 
++template <IDBCursorType CursorType>
++SafeRefPtr<BackgroundCursorChild<CursorType>>
++BackgroundCursorChild<CursorType>::SafeRefPtrFromThis() {
++  return BackgroundCursorChildBase::SafeRefPtrFromThis()
++      .template downcast<BackgroundCursorChild>();
++}
++
+ template <IDBCursorType CursorType>
+ void BackgroundCursorChild<CursorType>::SendContinueInternal(
+     const CursorRequestParams& aParams,
+@@ -3094,7 +3101,8 @@ void BackgroundCursorChild<CursorType>::SendContinueInternal(
+     // 1580499.
+     MOZ_ALWAYS_SUCCEEDS(NS_DispatchToCurrentThread(
+         MakeAndAddRef<DelayedActionRunnable<BackgroundCursorChild<CursorType>>>(
+-            this, &BackgroundCursorChild::CompleteContinueRequestFromCache)));
++            SafeRefPtrFromThis(),
++            &BackgroundCursorChild::CompleteContinueRequestFromCache)));
+ 
+     // TODO: Could we preload further entries in the background when the size of
+     // mCachedResponses falls under some threshold? Or does the response
+@@ -3243,7 +3251,7 @@ void BackgroundCursorChild<CursorType>::HandleResponse(
+   if (!mCursor) {
+     MOZ_ALWAYS_SUCCEEDS(this->GetActorEventTarget()->Dispatch(
+         MakeAndAddRef<DelayedActionRunnable<BackgroundCursorChild<CursorType>>>(
+-            this, &BackgroundCursorChild::SendDeleteMeInternal),
++            SafeRefPtrFromThis(), &BackgroundCursorChild::SendDeleteMeInternal),
+         NS_DISPATCH_NORMAL));
+   }
+ }
+@@ -3498,7 +3506,7 @@ NS_IMETHODIMP DelayedActionRunnable<T>::Run() {
+   MOZ_ASSERT(mRequest);
+   MOZ_ASSERT(mActionFunc);
+ 
+-  (mActor->*mActionFunc)();
++  ((*mActor).*mActionFunc)();
+ 
+   mActor = nullptr;
+   mRequest = nullptr;
+diff --git a/dom/indexedDB/ActorsChild.h b/dom/indexedDB/ActorsChild.h
+index a603aa1e87..62ba479c20 100644
+--- a/dom/indexedDB/ActorsChild.h
++++ b/dom/indexedDB/ActorsChild.h
+@@ -174,6 +174,8 @@ class BackgroundFactoryChild final : public PBackgroundIDBFactoryChild {
+ 
+   void SendDeleteMeInternal();
+ 
++  SafeRefPtr<BackgroundCursorChild> SafeRefPtrFromThis();
++
+  public:
+   // IPDL methods are only called by IPDL.
+   void ActorDestroy(ActorDestroyReason aWhy) override;
+diff --git a/netwerk/base/nsStandardURL.cpp b/netwerk/base/nsStandardURL.cpp
+index 2c02ae59aa..02689b7ba2 100644
+--- a/netwerk/base/nsStandardURL.cpp
++++ b/netwerk/base/nsStandardURL.cpp
+@@ -1809,6 +1809,7 @@ nsresult nsStandardURL::SetUsername(const nsACString& input) {
+     }
+     shift = ReplaceSegment(pos, len, escUsername);
+     mUsername.mLen = escUsername.Length() > 0 ? escUsername.Length() : -1;
++    mUsername.mPos = pos;
+   }
+ 
+   if (shift) {
+-- 
+2.33.0
+
diff --git a/firefox.spec b/firefox.spec
index 72983c47f88e6a33c08de20150557fade6abc468..baf7167610314f36255e27279d17a2d3cbe04b9b 100644
--- a/firefox.spec
+++ b/firefox.spec
@@ -88,7 +88,7 @@
 Summary:             Mozilla Firefox Web browser
 Name:                firefox
 Version:             79.0
-Release:             31
+Release:             32
 URL:                 https://www.mozilla.org/firefox/
 License:             MPLv1.1 or GPLv2+ or LGPLv2+
 Source0:             https://archive.mozilla.org/pub/firefox/releases/%{version}/source/firefox-%{version}.source.tar.xz
@@ -212,6 +212,7 @@ Patch668:            CVE-2021-29988.patch
 Patch669:            CVE-2021-23998.patch
 Patch670:            CVE-2022-29912.patch
 Patch671:            CVE-2024-0745.patch
+Patch672:            CVE-2020-15673.patch
 
 %if %{?system_nss}
 BuildRequires:       pkgconfig(nspr) >= %{nspr_version} pkgconfig(nss) >= %{nss_version}
@@ -418,6 +419,7 @@ tar -xf %{SOURCE3}
 %patch669 -p1
 %patch670 -p1
 %patch671 -p1
+%patch672 -p1
 
 %{__rm} -f .mozconfig
 %{__cp} %{SOURCE10} .mozconfig
@@ -866,6 +868,9 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
 %endif
 
 %changelog
+* Tue Sep 24 2024 lvfei <lvfei@kylinos.cn> - 79.0-32
+- Fix CVE-2020-15673
+
 * Wed Aug 14 2024 lvfei <lvfei@kylinos.cn> - 79.0-31
 - Fix CVE-2024-0745