Bugzilla – Bug 1149288
VUL-0: CVE-2019-11741: MozillaFirefox: Isolate addons.mozilla.org and accounts.firefox.com
Last modified: 2019-11-20 16:07:47 UTC
CVE-2019-11741: Isolate addons.mozilla.org and accounts.firefox.com Reporter Niklas Baumstark via TrendMicro's Zero Day Initiative Impact high Description A compromised sandboxed content process can perform a Universal Cross-site Scripting (UXSS) attack on content from any site it can cause to be loaded in the same process. Because addons.mozilla.org and accounts.firefox.com have close ties to the Firefox product, malicious manipulation of these sites within the browser can potentially be used to modify a user's Firefox configuration. These two sites will now be isolated into their own process and not allowed to be loaded in a standard content process. References: https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11741 https://bugzilla.mozilla.org/show_bug.cgi?id=1539595 https://bugzilla.redhat.com/show_bug.cgi?id=1748673 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11741
This issue is fixed in Firefox 69. openSUSE uses different versions: openSUSE:Leap:15.0 60.0esr openSUSE:Leap:15.1 60.6.2esr openSUSE:Leap:15.2 68.2.0esr openSUSE:Factory 70.0.1 SLE is also using only ESR versions and not Firefox 69. Closing bug as invalid.