CVE-2019-11708

Name of the Vulnerable Software and Affected Versions Mozilla Firefox versions prior to 67.0.4 Mozilla Firefox ESR versions prior to 60.7.2 Thunderbird versions prior to 60.7.2

Description The issue is caused by insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes. This can result in the non-sandboxed parent process opening web content chosen by a compromised child process, potentially allowing attackers to execute arbitrary code on the user's computer when combined with additional vulnerabilities.

Recommendations For Mozilla Firefox versions prior to 67.0.4, update to version 67.0.4 or later. For Mozilla Firefox ESR versions prior to 60.7.2, update to version 60.7.2 or later. For Thunderbird versions prior to 60.7.2, update to version 60.7.2 or later. As a temporary workaround, consider restricting access to the Prompt:Open IPC message to minimize the risk of exploitation.