Activity Stream can display content from sent from the Snippet Service website. This content is written to `innerHTML` on the Activity Stream page without sanitization, allowing for a potential access to other information available to the Activity Stream, such as browsing history, if the Snipper Service were compromised. External Reference: https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11718
Acknowledgments: Name: the Mozilla project Upstream: Mark Banner
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-11718