firefox-esr: sandbox escape using Prompt:Open (CVE-2019-11708) (#10600) · Issues · alpine / aports

firefox-esr: sandbox escape using Prompt:Open (CVE-2019-11708)

Insufficient vetting of parameters passed with the `Prompt:Open`
IPC message between child and parent processes can result in the non-sandboxed
parent process opening web content chosen by a compromised child process.
When combined with additional vulnerabilities
this could result in executing arbitrary code on the user’s computer.

Fixed In Version:

Firefox ESR 60.7.2

Reference:

https://www.mozilla.org/en-US/security/advisories/mfsa2019-19/

(from redmine: issue id 10600, created on 2019-06-21, closed on 2019-06-28)

Relations:
- child #10601 (closed)
- child #10602 (closed)

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information