QwikSec

Security Database

CVE

CWE

Training

CVE-2019-11711

Published: Jul 23, 2019

Modified: Aug 4, 2024

PUBLISHED

Description

When an inner window is reused, it does not consider the use of document.domain for cross-origin protections. If pages on different subdomains ever cooperatively use document.domain, then either page can abuse this to inject script into arbitrary pages on the other subdomain, even those that did not use document.domain to relax their origin security. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.

Vendor	Product	Versions
Mozilla	Firefox ESR	affected `unspecified - < 60.8`
Mozilla	Firefox	affected `unspecified - < 68`
Mozilla	Thunderbird	affected `unspecified - < 60.8`

References

https://www.mozilla.org/security/advisories/mfsa2019-21/

x_refsource_MISC

https://www.mozilla.org/security/advisories/mfsa2019-22/

x_refsource_MISC

https://www.mozilla.org/security/advisories/mfsa2019-23/

x_refsource_MISC

https://bugzilla.mozilla.org/show_bug.cgi?id=1552541

x_refsource_MISC

openSUSE-SU-2019:1811

vendor-advisory

x_refsource_SUSE

openSUSE-SU-2019:1813

vendor-advisory

x_refsource_SUSE

[debian-lts-announce] 20190802 [SECURITY] [DLA 1869-1] firefox-esr security update

mailing-list

x_refsource_MLIST

[debian-lts-announce] 20190802 [SECURITY] [DLA 1870-1] thunderbird security update

mailing-list

x_refsource_MLIST

vendor-advisory

x_refsource_GENTOO

vendor-advisory

x_refsource_GENTOO

openSUSE-SU-2019:1990

vendor-advisory

x_refsource_SUSE

openSUSE-SU-2019:2248

vendor-advisory

x_refsource_SUSE

openSUSE-SU-2019:2249

vendor-advisory

x_refsource_SUSE

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.