CVE-2019-11711Improper Removal of Sensitive Information Before Storage or Transfer in Mozilla Firefox

CWE-212Improper Removal of Sensitive Information Before Storage or Transfer12 documents7 sources
Severity
8.8HIGHNVD
OSV9.8
EPSS
1.5%
top 19.05%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
7
Mozilla FirefoxMozilla Firefox ESRMozilla Thunderbird+4 more
Timeline
PublishedJul 23
Latest updateMay 24

Description

When an inner window is reused, it does not consider the use of document.domain for cross-origin protections. If pages on different subdomains ever cooperatively use document.domain, then either page can abuse this to inject script into arbitrary pages on the other subdomain, even those that did not use document.domain to relax their origin security. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages11 packages

debiandebian/firefox< firefox 68.0-1 (sid)
CVEListV5mozilla/firefoxunspecified68
NVDmozilla/firefox< 60.8.0+1
debiandebian/firefox-esr< firefox 68.0-1 (sid)
CVEListV5mozilla/firefox_esrunspecified60.8

Also affects: Debian Linux 8.0

🔴Vulnerability Details

5
GHSA
GHSA-3cqf-mfjf-xv44: When an inner window is reused, it does not consider the use of document2022-05-24
OSV
firefox regressions2019-07-25
OSV
CVE-2019-11711: When an inner window is reused, it does not consider the use of document2019-07-23
OSV
thunderbird vulnerabilities2019-07-17
OSV
firefox vulnerabilities2019-07-12

📋Vendor Advisories

5
Ubuntu
Firefox regressions2019-07-25
Ubuntu
Thunderbird vulnerabilities2019-07-17
Ubuntu
Firefox vulnerabilities2019-07-12
Red Hat
Mozilla: Script injection within domain through inner window reuse2019-07-10
Debian
CVE-2019-11711: firefox - When an inner window is reused, it does not consider the use of document.domain ...2019

💬Community

1
Bugzilla
CVE-2019-11711 Mozilla: Script injection within domain through inner window reuse2019-07-10