CVE-2019-11736

Name of the Vulnerable Software and Affected Versions Firefox versions prior to 69 Firefox ESR versions prior to 68.1

Description The issue is caused by errors in synchronization when using a shared resource in the Mozilla Maintenance Service of Firefox ESR and Firefox browsers. This can allow an attacker to elevate their privileges. Specifically, the Maintenance Service does not prevent files from being hardlinked to another file in the updates directory, which can lead to the replacement of local files, including the Maintenance Service executable that runs with privileged access. A race condition during checks for junctions and symbolic links can also allow for undetected local file and directory manipulation in some cases. This vulnerability requires local system access and only affects Windows.

Recommendations For Firefox versions prior to 69, update to version 69 or later to resolve the issue. For Firefox ESR versions prior to 68.1, update to version 68.1 or later to resolve the issue.