A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Firefox ESR < 60.7.1, Firefox < 67.0.3, and Thunderbird < 60.7.2.
Advisories
Source ID Title
Debian DLA Debian DLA DLA-1829-1 firefox-esr security update
Debian DLA Debian DLA DLA-1836-1 thunderbird security update
Debian DSA Debian DSA DSA-4466-1 firefox-esr security update
Debian DSA Debian DSA DSA-4471-1 thunderbird security update
Ubuntu USN Ubuntu USN USN-4020-1 Firefox vulnerability
Ubuntu USN Ubuntu USN USN-4045-1 Thunderbird vulnerabilities
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Mon, 27 Oct 2025 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:* cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*

Wed, 22 Oct 2025 00:15:00 +0000


Tue, 21 Oct 2025 20:30:00 +0000


Tue, 21 Oct 2025 19:30:00 +0000


Tue, 15 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.84214}

epss

{'score': 0.81786}


Thu, 03 Apr 2025 21:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:* cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
Vendors & Products Mozilla firefox Esr

Fri, 07 Feb 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics kev

{'dateAdded': '2022-05-23'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 14 Aug 2024 00:30:00 +0000

Type Values Removed Values Added
References

cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2025-10-21T23:45:33.091Z

Reserved: 2019-05-03T00:00:00.000Z

Link: CVE-2019-11707

cve-icon Vulnrichment

Updated: 2024-08-04T23:03:32.447Z

cve-icon NVD

Status : Analyzed

Published: 2019-07-23T14:15:15.233

Modified: 2025-10-27T17:04:24.033

Link: CVE-2019-11707

cve-icon Redhat

Severity : Critical

Publid Date: 2019-06-19T00:00:00Z

Links: CVE-2019-11707 - Bugzilla

cve-icon OpenCVE Enrichment

No data.