CVE-2019-11716 — Improper Input Validation in Mozilla Firefox

CWE-20 — Improper Input Validation CWE-212 — Improper Removal of Sensitive Information Before Storage or Transfer10 documents7 sources

Severity

8.3HIGHNVD

OSV9.8

EPSS

0.6%

top 30.98%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Debian Firefox

Timeline

PublishedJul 23

Latest updateMay 24

Description

Until explicitly accessed by script, window.globalThis is not enumerable and, as a result, is not visible to code such as Object.getOwnPropertyNames(window). Sites that deploy a sandboxing that depends on enumerating and freezing access to the window object may miss this, allowing their sandboxes to be bypassed. This vulnerability affects Firefox < 68.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:LExploitability: 3.9 | Impact: 3.7

Affected Packages4 packages

▶debiandebian/firefox< firefox 68.0-1 (sid)

▶CVEListV5mozilla/firefoxunspecified — 68

▶NVDmozilla/firefox< 68.0

▶Ubuntumozilla/firefox< 68.0+build3-0ubuntu0.16.04.1+3

🔴Vulnerability Details

GHSA

GHSA-3mrp-wph9-cw58: Until explicitly accessed by script, window↗2022-05-24

▶

OSV

firefox regressions↗2019-07-25

▶

OSV

firefox vulnerabilities↗2019-07-12

▶

OSV

CVE-2019-11716: Until explicitly accessed by script, window↗2019-07-11

▶

📋Vendor Advisories

Ubuntu

Firefox regressions↗2019-07-25

▶

Ubuntu

Firefox vulnerabilities↗2019-07-12

▶

Red Hat

Mozilla: globalThis not enumerable until accessed↗2019-07-09

▶

Debian

CVE-2019-11716: firefox - Until explicitly accessed by script, window.globalThis is not enumerable and, as...↗2019

▶

💬Community

Bugzilla

CVE-2019-11716 Mozilla: globalThis not enumerable until accessed↗2019-07-18

▶