Allele Security Alert
ASA-2019-00437
Identifier(s)
ASA-2019-00437, CVE-2019-11716, MFSA2019-21
Title
GlobalThis not enumerable until accessed
Vendor(s)
Mozilla Foundation
Product(s)
Mozilla Firefox
Affected version(s)
Mozilla Firefox version before 68
Fixed version(s)
Mozilla Firefox version 68
Proof of concept
Unknown
Description
Until explicitly accessed by script, window.globalThis is not enumerable and, as a result, is not visible to code such as Object.getOwnPropertyNames(window). Sites that deploy a sandboxing that depends on enumerating and freezing access to the window object may miss this, allowing their sandboxes to be bypassed.
Technical details
Unknown
Credits
Chris Hacking
Reference(s)
Mozilla Foundation Security Advisory 2019-21
https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11716
Bug 1552632
https://bugzilla.mozilla.org/show_bug.cgi?id=1552632
CVE-2019-11716
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11716
CVE-2019-11716
https://nvd.nist.gov/vuln/detail/CVE-2019-11716
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: July 18, 2019