CVE-2019-11691

Name of the Vulnerable Software and Affected Versions Firefox versions prior to 67 Firefox ESR versions prior to 60.7 Thunderbird versions prior to 60.7

Description A use-after-free issue can occur when working with XMLHttpRequest (XHR) in an event loop, causing the XHR main thread to be called after it has been freed. This results in a potentially exploitable crash, allowing a remote attacker to access confidential data, compromise data integrity, and cause a denial of service.

Recommendations For Firefox versions prior to 67, update to version 67 or later to resolve the issue. For Firefox ESR versions prior to 60.7, update to version 60.7 or later to resolve the issue. For Thunderbird versions prior to 60.7, update to version 60.7 or later to resolve the issue. As a temporary workaround, consider disabling the use of XMLHttpRequest (XHR) in event loops until a patch is available.