Insufficient vetting of parameters passed with the `Prompt:Open` IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the user's computer. External Reference: https://www.mozilla.org/en-US/security/advisories/mfsa2019-19/#CVE-2019-11708
Acknowledgments: Name: the Mozilla project Upstream: Coinbase Security
Created thunderbird tracking bugs for this issue: Affects: fedora-all [bug 1722679]
Statement: In general, this flaw cannot be exploited through email in Thunderbird because scripting is disabled when reading mail.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:1603 https://access.redhat.com/errata/RHSA-2019:1603
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2019:1604 https://access.redhat.com/errata/RHSA-2019:1604
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:1623 https://access.redhat.com/errata/RHSA-2019:1623
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2019:1624 https://access.redhat.com/errata/RHSA-2019:1624
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:1626 https://access.redhat.com/errata/RHSA-2019:1626
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:1696 https://access.redhat.com/errata/RHSA-2019:1696
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-11708