| Severity | Critical |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE ID | CVE-2019-11707 |
| CVSSv3 |
8.4 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C] |
| CWE ID |
CWE-843 |
| Exploitation vector | Network |
| Public exploit | This vulnerability is being exploited in the wild. |
| Vulnerable software |
Firefox ESR Mozilla Firefox |
| Vulnerable software versions |
Firefox ESR 60.7.0 Firefox ESR 60.6.3 Firefox ESR 60.6.2 Show more Mozilla Firefox 67.0.2 Mozilla Firefox 67.0.1 Mozilla Firefox 67.0 Show more |
| Vendor URL | Mozilla |
UPDATED 20.06.2019
Added information about additional vulnerability, exploited in the attack.
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error when manipulating JavaScript objects due to issues in Array.pop. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a type confusion error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: this vulnerability is being actively exploited in the wild along with SB2019062002 (CVE-2019-11708).
Install updates from vendor's website.
External linkshttps://www.mozilla.org/en-US/security/advisories/mfsa2019-18/
https://twitter.com/5aelo/status/1141273394723414016
https://twitter.com/SecurityGuyPhil/status/1141466335592869888