CVE-2019-11748

NameCVE-2019-11748
DescriptionWebRTC in Firefox will honor persisted permissions given to sites for access to microphone and camera resources even when in a third-party context. In light of recent high profile vulnerabilities in other software, a decision was made to no longer persist these permissions. This avoids the possibility of trusted WebRTC resources being invisibly embedded in web content and abusing permissions previously given by users. Users will now be prompted for permissions on each use. This vulnerability affects Firefox < 69 and Firefox ESR < 68.1.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
firefox (PTS)sid70.0.1-1fixed
firefox-esr (PTS)jessie52.8.1esr-1~deb8u1fixed
jessie (security)68.2.0esr-1~deb8u1fixed
stretch60.7.1esr-1~deb9u1fixed
stretch (security)68.2.0esr-1~deb9u2fixed
buster, buster (security)68.2.0esr-1~deb10u1fixed
bullseye, sid68.2.0esr-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
firefoxsource(unstable)69.0-1
firefox-esrsource(unstable)68.1.0esr-1
firefox-esrsourcebuster(not affected)
firefox-esrsourcejessie(not affected)
firefox-esrsourcestretch(not affected)

Notes

[buster] - firefox-esr <not-affected> (Doesn't affect ESR60)
[stretch] - firefox-esr <not-affected> (Doesn't affect ESR60)
[jessie] - firefox-esr <not-affected> (Doesn't affect ESR60)
https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11748
https://www.mozilla.org/en-US/security/advisories/mfsa2019-26/#CVE-2019-11748

Search for package or bug name: Reporting problems