CVE-2019-17022

Name of the Vulnerable Software and Affected Versions Firefox ESR versions prior to 68.4 Firefox versions prior to 72

Description The issue arises when a <style> tag is pasted from the clipboard into a rich text editor, and the CSS sanitizer fails to escape < and > characters. Although this does not directly result in webpage injection, it can lead to an XSS vulnerability if a webpage copies the node's innerHTML and assigns it to another innerHTML. Two WYSIWYG editors have been identified with this behavior, suggesting more may exist.

Recommendations For Firefox ESR versions prior to 68.4, update to version 68.4 or later. For Firefox versions prior to 72, update to version 72 or later. As a temporary workaround, consider disabling the use of rich text editors that exhibit this behavior until a patch is available. Restrict access to innerHTML assignments to minimize the risk of exploitation.