CVE-2019-11708

CRITICAL KEV

Firefox ESR < 60.7.2, Firefox < 67.0.4, Thunderbird < 60.7.2 - RCE

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2019-11708 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added May 23, 2022. EIP tracks 3 public exploits from researchers including 0vercl0k.

AI-analyzed exploit summary This repository contains a full exploit chain for CVE-2019-11708 and CVE-2019-9810, targeting Firefox on Windows 64-bit. It leverages a data corruption vulnerability to achieve privileged JavaScript execution and ultimately compromises the entire browser, including the sandboxed parent process.

Description

Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the user's computer. This vulnerability affects Firefox ESR < 60.7.2, Firefox < 67.0.4, and Thunderbird < 60.7.2.

Exploits (3)

nomisec WORKING POC 623 stars
by 0vercl0k · client-side
https://github.com/0vercl0k/CVE-2019-11708

This repository contains a full exploit chain for CVE-2019-11708 and CVE-2019-9810, targeting Firefox on Windows 64-bit. It leverages a data corruption vulnerability to achieve privileged JavaScript execution and ultimately compromises the entire browser, including the sandboxed parent process.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Firefox 68.0a1 (custom build)
No auth needed
Prerequisites: BigInt support enabled in Firefox · Custom build of Firefox synchronized to revision 2abb636ad481768b7c88619080cf224b2c266b2d
devstral-2 · analyzed Feb 18, 2026 Full analysis →
vulncheck_xdb WORKING POC
client-side
https://github.com/Sp0pielar/CVE-2019-9791

This repository contains a functional exploit chain for CVE-2019-9791 and CVE-2019-11708 targeting Firefox 65.0 on Windows 64-bit. The exploit leverages type confusion to achieve arbitrary read/write primitives in the content process and escalates to arbitrary code execution in the main process.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Firefox 65.0
No auth needed
Prerequisites: Firefox 65.0 on Windows 64-bit
devstral-2 · analyzed Feb 25, 2026 Full analysis →
exploitdb WORKING POC
javascriptlocalwindows_x86-64
https://www.exploit-db.com/exploits/47752

This is a functional exploit for CVE-2019-11708, leveraging a type confusion vulnerability in Mozilla Firefox's JavaScript engine to achieve arbitrary read/write primitives and ultimately remote code execution. The exploit manipulates array lengths and corrupts memory to bypass security mechanisms.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Mozilla Firefox (versions prior to fix for CVE-2019-11708)
No auth needed
Prerequisites: Victim must visit a malicious webpage or execute the JavaScript in a vulnerable Firefox browser
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (6)

Core 6
Core References
Issue Tracking, Vendor Advisory x_refsource_misc
https://bugzilla.mozilla.org/show_bug.cgi?id=1559858
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/201908-12

Scores

CVSS v3 10.0
EPSS 0.6881
EPSS Percentile 98.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2022-05-23
VulnCheck KEV 2019-06-20
InTheWild.io 2019-06-20
ENISA EUVD EUVD-2019-3378
CWE
CWE-20
Status published
Products (3)
mozilla/firefox < 60.7.2
mozilla/firefox < 67.0.4
mozilla/thunderbird < 60.7.2
Published Jul 23, 2019
KEV Added May 23, 2022
Tracked Since Feb 18, 2026