CyberSec.Space Logo
Back to CVE Browser

CVE-2019-11707

Known Exploited (CISA KEV)HIGH
8.8
CVSS Severity Score
EPSS Score96.3720%
EPSS Percentile96.66th
PublishedJul 23, 2019
Last ModifiedOct 27, 2025

Vulnerability Description

A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Firefox ESR < 60.7.1, Firefox < 67.0.3, and Thunderbird < 60.7.2.

Affected Platforms (CPE)

πŸ“¦
Mozilla

Firefox

< 60.7.1
πŸ“¦
Mozilla

Firefox

< 67.0.3
πŸ“¦
Mozilla

Thunderbird

< 60.7.2

References & Advisories

πŸ”— https://bugzilla.mozilla.org/show_bug.cgi?id=1544386
πŸ”— https://security.gentoo.org/glsa/201908-12
πŸ”— https://www.mozilla.org/security/advisories/mfsa2019-18/
πŸ”— https://www.mozilla.org/security/advisories/mfsa2019-20/
πŸ”— https://bugzilla.mozilla.org/show_bug.cgi?id=1544386
πŸ”— https://security.gentoo.org/glsa/201908-12
πŸ”— https://www.mozilla.org/security/advisories/mfsa2019-18/
πŸ”— https://www.mozilla.org/security/advisories/mfsa2019-20/

Related Vulnerabilities

CVE-2019-1170810.0

Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the no...

CVE-2019-2513610.0

A compromised child process could have injected XBL Bindings into privileged CSS rules, resulting in arbitrary code execution and ...

CVE-2018-1850510.0

An earlier fix for an Inter-process Communication (IPC) vulnerability, CVE-2011-3079, added authentication to communication betwee...

CVE-2020-1238810.0

The Firefox content processes did not sufficiently lockdown access control which could result in a sandbox escape. *Note: this iss...