PT-2019-4557 · Mozilla+3 · Firefox+3

Chris Hacking

·

Publicado

2019-07-09

·

Atualizado

2024-12-12

·

CVE-2019-11716

CVSS v3.1

8.3

Alta

VetorAV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
Name of the Vulnerable Software and Affected Versions Firefox versions prior to 68
Description The issue is related to the window.globalThis component in the Firefox browser, which is associated with an error in Object.getOwnPropertyNames(window). This error allows an attacker to bypass the isolated programming environment. Exploitation of this issue can enable a remote attacker to access confidential data, compromise its integrity, and cause a denial of service. The problem arises because window.globalThis is not enumerable until explicitly accessed by a script, making it invisible to certain code, such as Object.getOwnPropertyNames(window). This can lead to sandboxes being bypassed in sites that rely on enumerating and freezing access to the window object.
Recommendations For Firefox versions prior to 68, update to version 68 or later to resolve the issue. As a temporary workaround, consider restricting access to the window object to minimize the risk of exploitation.

Correção

RCE

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-20

Identificadores relacionados

ALT-PU-2019-2301
ALT-PU-2019-2324
ALT-PU-2019-2479
ALT-PU-2019-2486
BDU:2020-00603
CVE-2019-11716
MGASA-2019-0213
MGASA-2019-0272
OPENSUSE-SU-2019:2248-1
OPENSUSE-SU-2019:2249-1
OPENSUSE-SU-2019:2251-1
OPENSUSE-SU-2019:2260-1
OPENSUSE-SU-2019_2248-1
OPENSUSE-SU-2019_2249-1
OPENSUSE-SU-2019_2251-1
OPENSUSE-SU-2019_2260-1
OPENSUSE-SU-2024:10600-1
OPENSUSE-SU-2024:14572-1
SUSE-SU-2019:14246-1
SUSE-SU-2019:2515-1
SUSE-SU-2019:2545-1
SUSE-SU-2019:2620-1
SUSE-SU-2019_14246-1
USN-4054-1
USN-4054-2

Produtos afetados

Alt Linux
Firefox
Suse
Ubuntu