#VU20833 Resource management error in Mozilla Firefox - CVE-2019-11747

Cybersecurity Help s.r.o.

Published: 2019-09-03

Vulnerability identifier: #VU20833

Vulnerability risk: Low

CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-11747

CWE-ID: CWE-399

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Mozilla Firefox
Client/Desktop applications / Web browsers

Vendor: Mozilla

Description

The vulnerability makes HSTS feature ineffective.

The vulnerability exists due to incorrect implementation of the "Forget about this site" feature in the History pane, intended to remove all saved user data that indicates a user has visited a site. This includes removing any HTTP Strict Transport Security (HSTS) settings received from sites that use it. Due to a bug, sites on the pre-load list also have their HSTS setting removed. On the next visit to that site if the user specifies an http: URL rather than secure https: they will not be protected by the pre-loaded HSTS setting. After that visit the site's HSTS setting will be restored.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Mozilla Firefox: 66.0.2 - 68.0.2

External links
https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Ubuntu regressions update for Firefox

Ubuntu update for Firefox

Arch Linux update for firefox

Red Hat update for firefox

Multiple vulnerabilities in Mozilla Firefox ESR

Multiple vulnerabilities in Mozilla Firefox