The IonMonkey just-in-time (JIT) compiler can leak an internal JS_OPTIMIZED_OUT magic value to the running script during a bailout. This magic value can then be used by JavaScript to achieve memory corruption, which results in a potentially exploitable crash. This vulnerability affects Thunderbird < 60.6, Firefox ESR < 60.6, and Firefox < 66.
[
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "60.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Firefox ESR",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "60.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Firefox",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "66",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
]
packetstormsecurity.com/files/153106/Spidermonkey-IonMonkey-JS_OPTIMIZED_OUT-Value-Leak.html
access.redhat.com/errata/RHSA-2019:0966
access.redhat.com/errata/RHSA-2019:1144
bugzilla.mozilla.org/show_bug.cgi?id=1532599
www.mozilla.org/security/advisories/mfsa2019-07/
www.mozilla.org/security/advisories/mfsa2019-08/
www.mozilla.org/security/advisories/mfsa2019-11/