#VU33032 Input validation error in Firefox ESR


Published: 2019-07-23 | Updated: 2020-08-03

Vulnerability identifier: #VU33032

Vulnerability risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-11711

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Firefox ESR
Client/Desktop applications / Web browsers

Vendor: Mozilla

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

When an inner window is reused, it does not consider the use of document.domain for cross-origin protections. If pages on different subdomains ever cooperatively use document.domain, then either page can abuse this to inject script into arbitrary pages on the other subdomain, even those that did not use document.domain to relax their origin security. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Firefox ESR: 60.0 - 60.7.2

External links
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00073.html
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html
http://bugzilla.mozilla.org/show_bug.cgi?id=1552541
http://lists.debian.org/debian-lts-announce/2019/08/msg00001.html
http://lists.debian.org/debian-lts-announce/2019/08/msg00002.html
http://security.gentoo.org/glsa/201908-12
http://security.gentoo.org/glsa/201908-20
http://www.mozilla.org/security/advisories/mfsa2019-21/
http://www.mozilla.org/security/advisories/mfsa2019-22/
http://www.mozilla.org/security/advisories/mfsa2019-23/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Dell EMC Unity Family, Dell EMC Unity XT Family
Multiple vulnerabilities in Dell EMC Secure Remote Services (SRS) Virtual Edition
OpenSUSE Linux update for MozillaThunderbird
Gentoo update for Mozilla Thunderbird
OpenSUSE Linux update for MozillaThunderbird
OpenSUSE Linux update for MozillaFirefox
Input validation error in Mozilla Firefox ESR
OpenSUSE Linux update for MozillaFirefox
Red Hat Enterprise Linux 8 update for thunderbird
Red Hat Enterprise Linux 6 update for thunderbird