Allele Security Alert
ASA-2019-00439, CVE-2019-11718, MFSA2019-21
Activity Stream writes unsanitized content to innerHTML
Mozilla Firefox version before 68
Mozilla Firefox version 68
Proof of concept
Activity Stream can display content sent from the Snippet Service website. This content is written to innerHTML on the Activity Stream page without sanitization, allowing for a potential access to other information available to the Activity Stream, such as browsing history, if the Snipper Service were compromised.
Mozilla Foundation Security Advisory 2019-21
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: July 17, 2019