CVE-2019-11707
Published: 23 July 2019
Summary
CVE-2019-11707 is a high-severity Type Confusion (CWE-843) vulnerability in Mozilla Firefox. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 0.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-2 (Flaw Remediation).
Deeper analysis
A type confusion vulnerability exists in the handling of JavaScript objects due to issues in Array.pop, which can result in an exploitable crash. The flaw is tracked as CWE-843 and carries a CVSS 3.1 score of 8.8. It affects Firefox ESR versions prior to 60.7.1, Firefox versions prior to 67.0.3, and Thunderbird versions prior to 60.7.2.
Remote attackers can trigger the issue by serving malicious JavaScript that manipulates array objects, achieving arbitrary code execution or at minimum a crash. Mozilla has confirmed targeted attacks in the wild that abuse this vulnerability, indicating active exploitation against selected victims who visit attacker-controlled web content or receive malicious email in Thunderbird.
Mozilla advisories MFSA2019-18 and MFSA2019-20, along with the corresponding Gentoo GLSA, direct users to upgrade to the fixed releases listed above. The referenced Bugzilla entry provides additional technical detail on the root cause and the patches applied.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-3377
Vulnerability details
A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Firefox ESR <…
more
60.7.1, Firefox < 67.0.3, and Thunderbird < 60.7.2.
- CWE(s)
- KEV Date Added
- 23 May 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the vendor patches that eliminate the Array.pop type confusion flaw in Firefox/Thunderbird before exploitation can occur.
Requires controls on mobile code (JavaScript) to block or restrict execution of untrusted scripts that trigger the vulnerability via malicious web content or email.
Provides malicious-code detection and blocking mechanisms that can intercept or alert on attempts to deliver the exploit payload through browser or email channels.