Cyber Resilience

CVE-2019-11707

HighCISA KEVActive ExploitationEUVD Exploited

Published: 23 July 2019

Published
23 July 2019
Modified
27 October 2025
KEV Added
23 May 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.8429 99.3th percentile
Risk Priority 88 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-11707 is a high-severity Type Confusion (CWE-843) vulnerability in Mozilla Firefox. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 0.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-2 (Flaw Remediation).

Deeper analysis

A type confusion vulnerability exists in the handling of JavaScript objects due to issues in Array.pop, which can result in an exploitable crash. The flaw is tracked as CWE-843 and carries a CVSS 3.1 score of 8.8. It affects Firefox ESR versions prior to 60.7.1, Firefox versions prior to 67.0.3, and Thunderbird versions prior to 60.7.2.

Remote attackers can trigger the issue by serving malicious JavaScript that manipulates array objects, achieving arbitrary code execution or at minimum a crash. Mozilla has confirmed targeted attacks in the wild that abuse this vulnerability, indicating active exploitation against selected victims who visit attacker-controlled web content or receive malicious email in Thunderbird.

Mozilla advisories MFSA2019-18 and MFSA2019-20, along with the corresponding Gentoo GLSA, direct users to upgrade to the fixed releases listed above. The referenced Bugzilla entry provides additional technical detail on the root cause and the patches applied.

EU & UK References

Vulnerability details

A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Firefox ESR <…

more

60.7.1, Firefox < 67.0.3, and Thunderbird < 60.7.2.

CWE(s)
KEV Date Added
23 May 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

mozilla
firefox
≤ 60.7.1 · ≤ 67.0.3
mozilla
thunderbird
≤ 60.7.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the vendor patches that eliminate the Array.pop type confusion flaw in Firefox/Thunderbird before exploitation can occur.

prevent

Requires controls on mobile code (JavaScript) to block or restrict execution of untrusted scripts that trigger the vulnerability via malicious web content or email.

preventdetect

Provides malicious-code detection and blocking mechanisms that can intercept or alert on attempts to deliver the exploit payload through browser or email channels.

References