CVE-2019-11707

ENISA EUVD: EUVD-2019-3377 ↗

Exploited in the Wild ✓ Confirmed 0-Day ★ Google Project Zero

Triaged: March 5, 2026 3 articles Published: 2019-07-23

VulnLookup ↗ NVD ↗ EUVD ↗ MITRE ↗ Advisory ↗ P0 Sheet ↗ CISA KEV ↗

EPSS Score

Source: FIRST.org · 2026-05-23

84.29%

probability

This CVE has a 84.29% probability of being exploited in the next 30 days.

0% Top 99.3th percentile of all CVEs 100%

CVSS v3.1

Source: VulnerabilityLookup (CIRCL)

8.8

HIGH

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v2 (legacy)

7.5

HIGH

Access Vector

Network

Access Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

Description

VulnerabilityLookup (CNA)

A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Firefox ESR < 60.7.1, Firefox < 67.0.3, and Thunderbird < 60.7.2.

Affected Products

Mozilla

Firefox ESR

unspecified

Mozilla

Firefox

unspecified

Mozilla

Thunderbird

unspecified

mozilla

firefox

mozilla

thunderbird

Mozilla

Firefox

unspecified <67.0.3

Mozilla

Firefox ESR

unspecified <60.7.1

Mozilla

Thunderbird

unspecified <60.7.2

Attack Intelligence

CWE-664 · Improper Control of a Resource Through its Lifetime CWE-704 · Incorrect Type Conversion CWE-843 · Type Confusion

Google Project Zero

Patched

June 18, 2019

Reported by

Samuel Groß of Google Project Zero, Coinbase Security

Root Cause Analysis

https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2019/CVE-2019-11707.html

Exploits & PoC

vigneshsrao/CVE-2019-11707

Exploit code for CVE-2019-11707 on Firefox 66.0.3 running on Ubuntu

42 2019-08-18

flabbergastedbd/cve-2019-11707

https://bugs.chromium.org/p/project-zero/issues/detail?id=1820

2 2020-04-14

CosminGGeorgescu/CVE-2019-11707-PoC

Proof of concept for CVE-2019-11707

0 2026-02-05

3 repos — triés par ⭐ Rechercher sur GitHub ↗

https://www.mozilla.org/security/advisories/mfsa2019-20/

x_refsource_MISC

https://www.mozilla.org/security/advisories/mfsa2019-18/

x_refsource_MISC

https://bugzilla.mozilla.org/show_bug.cgi?id=1544386

x_refsource_MISC

https://security.gentoo.org/glsa/201908-12

vendor-advisory x_refsource_GENTOO

Signal Intelligence

Confidenceⓘ

95%

EPSS 84.29%

CVSS v3.1 8.8

Mentions 3

Last Seen Jun 20, 2019

CNA Information

CNA Assigner

mozilla

Analyst Note

Auto-imported from Google Project Zero — confirmed zero-day by definition.

Triage Info

Decided atMar 05, 2026

Published DateJul 23, 2019