Subject: [ASA-201906-18] firefox: arbitrary code execution Arch Linux Security Advisory ASA-201906-18 ========================================== Severity: Critical Date : 2019-06-19 CVE-ID : CVE-2019-11707 Package : firefox Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-994 Summary ======= The package firefox before version 67.0.3-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 67.0.3-1. # pacman -Syu "firefox>=67.0.3-1" The problem has been fixed upstream in version 67.0.3. Workaround ========== None. Description =========== A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop, in Firefox before 67.0.3. This can allow for an exploitable crash. Mozilla has been made aware of targeted attacks in the wild abusing this flaw. Impact ====== A remote attacker can execute arbitrary code via crafted Javascript code. References ========== https://www.mozilla.org/en-US/security/advisories/mfsa2019-18 https://www.mozilla.org/en-US/security/advisories/mfsa2019-18/#CVE-2019-11707 https://bugzilla.mozilla.org/show_bug.cgi?id=1544386 https://security.archlinux.org/CVE-2019-11707