CVE-2019-11708 – This vulnerability allows a compromised child p... (How to Fix)

Q: How do I fix CVE-2019-11708?

1. Open Firefox/Thunderbird. 2. Click menu → Help → About Firefox/Thunderbird. 3. Allow automatic update to complete. 4. Restart the application when prompted.

Q: What is the severity of CVE-2019-11708?

CVE-2019-11708 has a CVSS score of 10.0 (CRITICAL). This vulnerability allows a compromised child process in Firefox/Thunderbird to trick the parent process into opening malicious web content, potentially leading to arbitrary code execution when combined with other vulnerabilities. It affects Firefox ESR before 60.7.2, Firefox before 67.0.4, and Thunderbird before 60.7.2. Users of these outdated versions are at risk.

📋 TL;DR

This vulnerability allows a compromised child process in Firefox/Thunderbird to trick the parent process into opening malicious web content, potentially leading to arbitrary code execution when combined with other vulnerabilities. It affects Firefox ESR before 60.7.2, Firefox before 67.0.4, and Thunderbird before 60.7.2. Users of these outdated versions are at risk.

💻 Affected Systems

Products:

Mozilla Firefox
Mozilla Firefox ESR
Mozilla Thunderbird

Versions: Firefox ESR < 60.7.2, Firefox < 67.0.4, Thunderbird < 60.7.2

Operating Systems: Windows, Linux, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations of affected versions are vulnerable. No special configuration required for exploitation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with arbitrary code execution leading to complete control of the user's computer, data theft, and lateral movement.

🟠

Likely Case

Browser compromise leading to session hijacking, credential theft, and installation of malware or backdoors.

🟢

If Mitigated

Limited impact with only browser-level compromise if proper sandboxing and security controls are in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploit requires chaining with additional vulnerabilities for full code execution. Public exploit code exists in the wild.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox ESR 60.7.2, Firefox 67.0.4, Thunderbird 60.7.2

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2019-19/

Restart Required: Yes

Instructions:

1. Open Firefox/Thunderbird. 2. Click menu → Help → About Firefox/Thunderbird. 3. Allow automatic update to complete. 4. Restart the application when prompted.

🔧 Temporary Workarounds

Disable JavaScript

all

Temporarily reduces attack surface by disabling JavaScript execution

about:config → javascript.enabled = false

🧯 If You Can't Patch

Discontinue use of affected browsers for sensitive activities
Implement application whitelisting to block execution of malicious payloads

🔍 How to Verify

Check if Vulnerable:

Check browser version in About dialog: Firefox ESR < 60.7.2, Firefox < 67.0.4, Thunderbird < 60.7.2

Check Version:

firefox --version | thunderbird --version

Verify Fix Applied:

Confirm version is Firefox ESR ≥ 60.7.2, Firefox ≥ 67.0.4, or Thunderbird ≥ 60.7.2

📡 Detection & Monitoring

Log Indicators:

Unusual child process termination
Unexpected IPC messages between browser processes
Multiple prompt:open requests

Network Indicators:

Connections to known malicious domains following browser compromise
Unusual outbound traffic patterns

SIEM Query:

source="browser_logs" AND (event="process_crash" OR event="ipc_violation")

📊 Metadata

CVE ID: CVE-2019-11708

CVSS v3 Score: 10.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-20

Published: July 23, 2019

Last Updated: October 27, 2025

🔗 References

http://packetstormsecurity.com/files/155592/Mozilla-Firefox-Windows-64-Bit-Chain-Exploit.html Third Party Advisory,VDB Entry
https://bugzilla.mozilla.org/show_bug.cgi?id=1559858 Issue Tracking,Vendor Advisory
https://security.gentoo.org/glsa/201908-12 Third Party Advisory
https://www.mozilla.org/security/advisories/mfsa2019-19/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2019-20/ Vendor Advisory
http://packetstormsecurity.com/files/155592/Mozilla-Firefox-Windows-64-Bit-Chain-Exploit.html Third Party Advisory,VDB Entry
https://bugzilla.mozilla.org/show_bug.cgi?id=1559858 Issue Tracking,Vendor Advisory
https://security.gentoo.org/glsa/201908-12 Third Party Advisory
https://www.mozilla.org/security/advisories/mfsa2019-19/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2019-20/ Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-11708 US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-11708, you might also want to check these: