CVE-2019-11747

Name	CVE-2019-11747
Description	The "Forget about this site" feature in the History pane is intended to remove all saved user data that indicates a user has visited a site. This includes removing any HTTP Strict Transport Security (HSTS) settings received from sites that use it. Due to a bug, sites on the pre-load list also have their HSTS setting removed. On the next visit to that site if the user specifies an http: URL rather than secure https: they will not be protected by the pre-loaded HSTS setting. After that visit the site's HSTS setting will be restored. This vulnerability affects Firefox < 69 and Firefox ESR < 68.1.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
firefox (PTS)	sid	113.0.2-1	fixed
firefox-esr (PTS)	buster	91.12.0esr-1~deb10u1	fixed
	buster (security)	102.11.0esr-1~deb10u1	fixed
	bullseye	102.10.0esr-1~deb11u1	fixed
	bullseye (security)	102.11.0esr-1~deb11u1	fixed
	bookworm, sid	102.11.0esr-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version
firefox	source	(unstable)	69.0-1
firefox-esr	source	jessie	(not affected)
firefox-esr	source	stretch	(not affected)
firefox-esr	source	buster	(not affected)
firefox-esr	source	(unstable)	68.1.0esr-1

Notes

[buster] - firefox-esr <not-affected> (Doesn't affect ESR60)
[stretch] - firefox-esr <not-affected> (Doesn't affect ESR60)
[jessie] - firefox-esr <not-affected> (Doesn't affect ESR60)
https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11747
https://www.mozilla.org/en-US/security/advisories/mfsa2019-26/#CVE-2019-11747