PT-2019-4557 · Mozilla+3 · Firefox+3

Chris Hacking

·

Published

2019-07-09

·

Updated

2024-12-12

·

CVE-2019-11716

CVSS v3.1

8.3

High

VectorAV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
Name of the Vulnerable Software and Affected Versions Firefox versions prior to 68
Description The issue is related to the window.globalThis component in the Firefox browser, which is associated with an error in Object.getOwnPropertyNames(window). This error allows an attacker to bypass the isolated programming environment. Exploitation of this issue can enable a remote attacker to access confidential data, compromise its integrity, and cause a denial of service. The problem arises because window.globalThis is not enumerable until explicitly accessed by a script, making it invisible to certain code, such as Object.getOwnPropertyNames(window). This can lead to sandboxes being bypassed in sites that rely on enumerating and freezing access to the window object.
Recommendations For Firefox versions prior to 68, update to version 68 or later to resolve the issue. As a temporary workaround, consider restricting access to the window object to minimize the risk of exploitation.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

ALT-PU-2019-2301
ALT-PU-2019-2324
ALT-PU-2019-2479
ALT-PU-2019-2486
BDU:2020-00603
CVE-2019-11716
MGASA-2019-0213
MGASA-2019-0272
OPENSUSE-SU-2019:2248-1
OPENSUSE-SU-2019:2249-1
OPENSUSE-SU-2019:2251-1
OPENSUSE-SU-2019:2260-1
OPENSUSE-SU-2019_2248-1
OPENSUSE-SU-2019_2249-1
OPENSUSE-SU-2019_2251-1
OPENSUSE-SU-2019_2260-1
OPENSUSE-SU-2024:10600-1
OPENSUSE-SU-2024:14572-1
SUSE-SU-2019:14246-1
SUSE-SU-2019:2515-1
SUSE-SU-2019:2545-1
SUSE-SU-2019:2620-1
SUSE-SU-2019_14246-1
USN-4054-1
USN-4054-2

Affected Products

Alt Linux
Firefox
Suse
Ubuntu