The vulnerability was reported by Mozilla to be actively exploited in the wild.
This vulnerability as reportedly used in a targeted attack against Coinbase employees on Monday, June 17 2019.
The vulnerability was used in conjunction with another sandbox bypass issue CVE-2019-11708, patched by Mozilla on June 20, 2019.
This vulnerability was independently discovered and reported to Mozilla by a security researcher Samuel Gro├Я on April 15. It took Mozilla 64 days to issue a security fix.
Vulnerability details
Advisory: SB2019061805 - Remote code execution in Mozilla Firefox and Firefox ESR
Vulnerable component: Mozilla Firefox
CVE-ID: CVE-2019-11707
CVSSv3 score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C
CWE-ID: CWE-843 - Type confusion
Description:
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error when manipulating JavaScript objects due to issues in Array.pop
. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a type confusion error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: this vulnerability is being actively exploited in the wild along with SB2019062002 (CVE-2019-11708).
Public Exploits:
- Mozilla Firefox 67 - Array.pop JIT Type Confusion [Exploit-DB]