First published: Thu Jun 20 2019(Updated: )
Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the user's computer.
Credit: security@mozilla.org security@mozilla.org
Affected Software | Affected Version | How to fix |
---|---|---|
Mozilla Thunderbird | <60.7.2 | 60.7.2 |
Mozilla Firefox | <67.0.4 | 67.0.4 |
Mozilla Firefox ESR | <60.7.2 | 60.7.2 |
Mozilla Firefox | <67.0.4 | |
Mozilla Firefox ESR | <60.7.2 | |
Mozilla Thunderbird | <60.7.2 | |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2019-11708 is a vulnerability in Mozilla Firefox and Thunderbird that allows a compromised child process to open web content chosen by the non-sandboxed parent process.
CVE-2019-11708 has a severity rating of critical.
CVE-2019-11708 affects Mozilla Firefox versions up to and including 67.0.4.
CVE-2019-11708 affects Mozilla Firefox ESR versions up to and including 60.7.2.
CVE-2019-11708 affects Mozilla Thunderbird versions up to and including 60.7.2.
Yes, updating to Mozilla Firefox version 67.0.4 or Mozilla Firefox ESR version 60.7.2 will fix the vulnerability.
You can find more information about CVE-2019-11708 at the following references: 1. [Bugzilla - Mozilla](https://bugzilla.mozilla.org/show_bug.cgi?id=1559858) 2. [Mozilla Security Advisory - MFSA2019-19](https://www.mozilla.org/en-US/security/advisories/mfsa2019-19/) 3. [Mozilla Security Advisory - MFSA2019-20](https://www.mozilla.org/en-US/security/advisories/mfsa2019-20/)