Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the userβs computer. This vulnerability affects Firefox ESR < 60.7.2, Firefox < 67.0.4, and Thunderbird < 60.7.2.
Recent assessments:
gwillcox-r7 at November 22, 2020 2:44am UTC reported:
Reported as exploited in the wild as part of Googleβs 2020 0day vulnerability spreadsheet they made available at <https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=1869060786>. Original tweet announcing this spreadsheet with the 2020 findings can be found at <https://twitter.com/maddiestone/status/1329837665378725888>
Assessed Attacker Value: 0
Assessed Attacker Value: 0Assessed Attacker Value: 0
packetstormsecurity.com/files/155592/Mozilla-Firefox-Windows-64-Bit-Chain-Exploit.html
bugzilla.mozilla.org/show_bug.cgi?id=1559858
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11708
security.gentoo.org/glsa/201908-12
www.mozilla.org/security/advisories/mfsa2019-19
www.mozilla.org/security/advisories/mfsa2019-20