Allele Security Alert
ASA-2019-00437, CVE-2019-11716, MFSA2019-21
GlobalThis not enumerable until accessed
Mozilla Firefox version before 68
Mozilla Firefox version 68
Proof of concept
Until explicitly accessed by script, window.globalThis is not enumerable and, as a result, is not visible to code such as Object.getOwnPropertyNames(window). Sites that deploy a sandboxing that depends on enumerating and freezing access to the window object may miss this, allowing their sandboxes to be bypassed.
Mozilla Foundation Security Advisory 2019-21
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: July 18, 2019