Releases Security Updates for Firefox, Thunderbird (May 22, 2019

Ref# Mozilla | Date: May 29th 2019


The Microsoft Foundation released several security vulnerability fixes for the Firefox. Firefox ESR, and thunderbird. It is recommended to take the necessary precautions by ensuring products are always updated to avoid an attacker from exploiting one of these vulnerabilities by taking control of an affected system.

Mozilla Foundation Security Advisory 2019-13

Mozilla Release Security updates for Firefox includes: 2 Critical, 11 High, 6 Medium, and 2 low vulnerability fixes.


  • CVE-2019-9814: Memory safety bugs fixed in Firefox 67

  • CVE-2019-9800: Memory safety bugs fixed in Firefox 67 and Firefox ESR 60.7


  • CVE-2019-9815: Disable hyperthreading on content JavaScript threads on macOS

  • CVE-2019-9816: Type confusion with object groups and UnboxedObjects

  • CVE-2019-9817: Stealing of cross-domain images using canvas

  • CVE-2019-9818: Use-after-free in crash generation server

  • CVE-2019-9819: Compartment mismatch with fetch API

  • CVE-2019-9820: Use-after-free of ChromeEventHandler by DocShell

  • CVE-2019-9821: Use-after-free in AssertWorkerThread

  • CVE-2019-11691: Use-after-free in XMLHttpRequest

  • CVE-2019-11692: Use-after-free removing listeners in the event listener manager

  • CVE-2019-11693: Buffer overflow in WebGL bufferdata on Linux

  • CVE-2019-7317: Use-after-free in png_image_free of libpng library


  • CVE-2019-11694: Uninitialized memory memory leakage in Windows sandbox

  • CVE-2019-11695: Custom cursor can render over user interface outside of web content

  • CVE-2019-11696: Java web start .JNLP files are not recognized as executable files for download prompts

  • CVE-2019-11697: Pressing key combinations can bypass installation prompt delays and install extensions

  • CVE-2019-11698: Theft of user history data through drag and drop of hyperlinks to and from bookmarks

  • CVE-2019-11700: res: protocol can be used to open known local files


  • CVE-2019-11699: Incorrect domain name highlighting during page navigation

  • CVE-2019-11701: webcal: protocol default handler loads vulnerable web page

The Guyana National CIRT recommends that users and administration review these updates and apply them where necessary.


Microsoft Releases Security Updates to Address Remote Code Execution Vulnerability (US-Cert)