A vulnerability where the JavaScript JIT compiler inlines Array.prototype.push with multiple arguments that results in the stack pointer being off by 8 bytes after a bailout. This leaks a memory address to the calling function which can be used as part of an exploit inside the sandboxed content process. External Reference: https://www.mozilla.org/en-US/security/advisories/mfsa2018-24/#CVE-2018-12387
Acknowledgments: Name: the Mozilla project Upstream: Niklas Baumstark, Bruno Keith via Beyond Security's SecuriTeam Secure Disclosure program
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2018:2881 https://access.redhat.com/errata/RHSA-2018:2881
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:2884 https://access.redhat.com/errata/RHSA-2018:2884