Until explicitly accessed by script, `window.globalThis` is not enumerable and, as a result, is not visible to code such as `Object.getOwnPropertyNames(window)`. Sites that deploy a sandboxing that depends on enumerating and freezing access to the window object may miss this, allowing their sandboxes to be bypassed. External Reference: https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11716
Acknowledgments: Name: the Mozilla project Upstream: Chris Hacking
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-11716