CVE-2019-11708

Summary

Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the user's computer. This vulnerability affects Firefox ESR < 60.7.2, Firefox < 67.0.4, and Thunderbird < 60.7.2.

Affected Software

VendorProductVersion RangeStatus
MozillaFirefox ESRunspecified < 60.7.2affected
MozillaFirefoxunspecified < 67.0.4affected
MozillaThunderbirdunspecified < 60.7.2affected

Weaknesses

  • sandbox escape using Prompt:Open

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: active
    • Automatable: no
    • Technical Impact: total

Additional References

References