Mozilla Foundation Security Advisory 2019-18

Security vulnerabilities fixed in Firefox 67.0.3 and Firefox ESR 60.7.1

Announced

June 18, 2019

Impact

critical

Products

Firefox, Firefox ESR

Fixed in

Firefox 67.0.3
Firefox ESR 60.7.1

#CVE-2019-11707: Type confusion in Array.pop

Reporter: Samuel Groß of Google Project Zero, Coinbase Security
Impact: critical

Description

A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw.

References

Bug 1544386

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Firefox Relay

MDN Plus

Fakespot

Mozilla Manifesto

Mozilla Foundation

Leadership

Get involved

Careers

Mozilla Blog

Impact

Firefox Developer Edition

MDN Web Docs

Mozilla Innovation Projects

Common Voice