CVE-2019-11711
First published: Tue Jul 09 2019(Updated: )
When an inner window is reused, it does not consider the use of document.domain for cross-origin protections. If pages on different subdomains ever cooperatively use document.domain, then either page can abuse this to inject script into arbitrary pages on the other subdomain, even those that did not use document.domain to relax their origin security.
Credit: security@mozilla.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Mozilla Firefox | <68 | 68 |
| <68 | 68 | |
| <60.8 | 60.8 | |
| <60.8 | 60.8 | |
| Mozilla Firefox | <68.0 | |
| Mozilla Firefox ESR | <60.8.0 | |
| Mozilla Thunderbird | <60.8.0 | |
| Debian Debian Linux | =8.0 | |
| <68 | 68 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.mozilla.org/show_bug.cgi?id=1552541
- https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/
- https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11727
- https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/
- https://www.mozilla.org/en-US/security/advisories/mfsa2019-23/
- https://www.mozilla.org/en-US/security/advisories/mfsa2019-28/
- http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html
- http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00073.html
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html
- https://lists.debian.org/debian-lts-announce/2019/08/msg00001.html
- https://lists.debian.org/debian-lts-announce/2019/08/msg00002.html
- https://security.gentoo.org/glsa/201908-12
- https://security.gentoo.org/glsa/201908-20
- https://www.mozilla.org/security/advisories/mfsa2019-21/
- https://www.mozilla.org/security/advisories/mfsa2019-22/
- https://www.mozilla.org/security/advisories/mfsa2019-23/
Parent vulnerabilities
(Appears in the following advisories)
Peer vulnerabilities
(Found alongside the following vulnerabilities)
Frequently Asked Questions
What is CVE-2019-11711?
CVE-2019-11711 is a vulnerability that allows an attacker to inject script into arbitrary pages on different subdomains in Firefox and Thunderbird.
How does CVE-2019-11711 affect Mozilla Firefox and Firefox ESR?
CVE-2019-11711 affects Mozilla Firefox versions up to and excluding 68 and Firefox ESR versions up to and excluding 60.8.
How does CVE-2019-11711 affect Mozilla Thunderbird?
CVE-2019-11711 affects Mozilla Thunderbird versions up to and excluding 68.
How can an attacker exploit CVE-2019-11711?
An attacker can exploit CVE-2019-11711 by abusing the reuse of an inner window and using document.domain for cross-origin protections to inject script into arbitrary pages on different subdomains.
What is the severity of CVE-2019-11711?
CVE-2019-11711 has a severity rating of 8.8 (high) according to the Common Vulnerability Scoring System (CVSS).
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- agent/softwarecombine
- collector/mozilla-advisory
- source/Mozilla
- agent/software-canonical-lookup
- agent/event
- agent/author
- agent/description
- agent/severity
- agent/references
- agent/software-canonical-lookup-request
- agent/tags
- collector/nvd-index
- collector/mitre-cve
- source/MITRE
- vendor/mozilla
- canonical/mozilla thunderbird
- canonical/mozilla firefox esr
- canonical/mozilla firefox
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/8.0