CVE-2019-11707

A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Firefox ESR < 60.7.1, Firefox < 67.0.3, and Thunderbird < 60.7.2.

Published: Jul 23, 2019
Updated: Nov 4, 2025
CVE: CVE-2019-11707
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

CWEs:

CWE-843

Affected Software
References

Software	From	Fixed in
mozilla / thunderbird	-	60.7.2
mozilla / firefox	-	60.7.1
mozilla / firefox	-	67.0.3

https://bugzilla.mozilla.org/show_bug.cgi?id=1544386
https://security.gentoo.org/glsa/201908-12
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-11707
https://www.mozilla.org/security/advisories/mfsa2019-18/
https://www.mozilla.org/security/advisories/mfsa2019-20/

Vulnerability Database

CVE-2019-11707

Deep Security Visibility Without the Complexity