When an inner window is reused, it does not consider the use of `document.domain` for cross-origin protections. If pages on different subdomains ever cooperatively use `document.domain`, then either page can abuse this to inject script into arbitrary pages on the other subdomain, even those that did not use `document.domain` to relax their origin security. External Reference: https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11711
Acknowledgments: Name: the Mozilla project Upstream: Boris Zbarsky
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:1764 https://access.redhat.com/errata/RHSA-2019:1764
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2019:1765 https://access.redhat.com/errata/RHSA-2019:1765
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:1763 https://access.redhat.com/errata/RHSA-2019:1763
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-11711
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:1775 https://access.redhat.com/errata/RHSA-2019:1775
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2019:1777 https://access.redhat.com/errata/RHSA-2019:1777
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:1799 https://access.redhat.com/errata/RHSA-2019:1799