Cyber Resilience

CVE-2019-11708

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 23 July 2019

Published
23 July 2019
Modified
27 October 2025
KEV Added
23 May 2022
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.6881 98.6th percentile
Risk Priority 81 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-11708 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Mozilla Firefox. Its CVSS base score is 10.0 (Critical).

Operationally, ranked in the top 1.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-10 (Information Input Validation).

Deeper analysis

The vulnerability is an instance of insufficient input validation (CWE-20) affecting the Prompt:Open IPC message handler used for communication between sandboxed child processes and the non-sandboxed parent process. It impacts Firefox ESR prior to 60.7.2, Firefox prior to 67.0.4, and Thunderbird prior to 60.7.2, and carries a CVSS 3.1 base score of 10.0 reflecting its critical severity and network-exploitable nature without authentication or user interaction.

An attacker able to first compromise a child content process can supply malicious parameters via the IPC channel, causing the parent process to open attacker-chosen web content outside the sandbox. When chained with one or more additional vulnerabilities, this can lead to arbitrary code execution on the target system.

Mozilla addressed the issue in security advisories MFSA2019-19 and MFSA2019-20, with corresponding updates released for the affected Firefox and Thunderbird branches; Gentoo Linux also published GLSA-201908-12 describing the patched package versions. A publicly posted Windows 64-bit exploit chain referencing this CVE demonstrates practical chaining with other browser weaknesses.

EU & UK References

Vulnerability details

Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in…

more

executing arbitrary code on the user's computer. This vulnerability affects Firefox ESR < 60.7.2, Firefox < 67.0.4, and Thunderbird < 60.7.2.

CWE(s)
KEV Date Added
23 May 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

mozilla
firefox
≤ 60.7.2 · ≤ 67.0.4
mozilla
thunderbird
≤ 60.7.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all input (including IPC parameters) before it is processed, preventing the malicious Prompt:Open message from a compromised child process.

prevent

Enforces process isolation so that a compromised sandboxed child process cannot influence or escape into the non-sandboxed parent process via IPC.

prevent

Enforces access-control policy on the IPC channel, limiting what actions the parent process will perform on behalf of a child process.

References