Bug 1149288 (CVE-2019-11741)

Summary: VUL-0: CVE-2019-11741: MozillaFirefox: Isolate addons.mozilla.org and accounts.firefox.com
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: Charles Robertson <cgrobertson>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: abergmann, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/241695/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on: 1149324    
Bug Blocks:    

Description Alexander Bergmann 2019-09-04 06:48:27 UTC 
CVE-2019-11741: Isolate addons.mozilla.org and accounts.firefox.com

Reporter   Niklas Baumstark via TrendMicro's Zero Day Initiative
Impact     high

Description
A compromised sandboxed content process can perform a Universal Cross-site Scripting (UXSS) attack on content from any site it can cause to be loaded in the same process. Because addons.mozilla.org and accounts.firefox.com have close ties to the Firefox product, malicious manipulation of these sites within the browser can potentially be used to modify a user's Firefox configuration. These two sites will now be isolated into their own process and not allowed to be loaded in a standard content process.


References:
https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11741
https://bugzilla.mozilla.org/show_bug.cgi?id=1539595
https://bugzilla.redhat.com/show_bug.cgi?id=1748673
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11741
Comment 1 Alexander Bergmann 2019-11-20 16:07:47 UTC 
This issue is fixed in Firefox 69.

openSUSE uses different versions:

openSUSE:Leap:15.0 60.0esr
openSUSE:Leap:15.1 60.6.2esr
openSUSE:Leap:15.2 68.2.0esr
openSUSE:Factory   70.0.1

SLE is also using only ESR versions and not Firefox 69.

Closing bug as invalid.