Subject: [ASA-201906-19] firefox-developer-edition: arbitrary code execution Arch Linux Security Advisory ASA-201906-19 ========================================== Severity: Critical Date : 2019-06-19 CVE-ID : CVE-2019-11707 Package : firefox-developer-edition Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-995 Summary ======= The package firefox-developer-edition before version 68.0b11-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 68.0b11-1. # pacman -Syu "firefox-developer-edition>=68.0b11-1" The problem has been fixed upstream in version 68.0b11. Workaround ========== None. Description =========== A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop, in Firefox before 67.0.3. This can allow for an exploitable crash. Mozilla has been made aware of targeted attacks in the wild abusing this flaw. Impact ====== A remote attacker can execute arbitrary code via crafted Javascript code. References ========== https://www.mozilla.org/en-US/security/advisories/mfsa2019-18 https://www.mozilla.org/en-US/security/advisories/mfsa2019-18/#CVE-2019-11707 https://bugzilla.mozilla.org/show_bug.cgi?id=1544386 https://security.archlinux.org/CVE-2019-11707