A vulnerability where type-confusion in the IonMonkey just-in-time (JIT) compiler could potentially be used by malicious JavaScript to trigger a potentially exploitable crash. This vulnerability affects Thunderbird < 60.6, Firefox ESR < 60.6, and Firefox < 66.
The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Firefox | Mozilla | * | 66.0 (excluding) |
| Firefox_esr | Mozilla | * | 60.6 (excluding) |
| Thunderbird | Mozilla | * | 60.6 (excluding) |
| Red Hat Enterprise Linux 6 | RedHat | firefox-0:60.6.0-3.el6_10 | * |
| Red Hat Enterprise Linux 6 | RedHat | thunderbird-0:60.6.1-1.el6_10 | * |
| Red Hat Enterprise Linux 7 | RedHat | firefox-0:60.6.0-3.el7_6 | * |
| Red Hat Enterprise Linux 7 | RedHat | thunderbird-0:60.6.1-1.el7_6 | * |
| Red Hat Enterprise Linux 8 | RedHat | firefox-0:60.6.1-1.el8 | * |
| Red Hat Enterprise Linux 8 | RedHat | thunderbird-0:60.6.1-1.el8 | * |
| Firefox | Ubuntu | bionic | * |
| Firefox | Ubuntu | cosmic | * |
| Firefox | Ubuntu | devel | * |
| Firefox | Ubuntu | disco | * |
| Firefox | Ubuntu | eoan | * |
| Firefox | Ubuntu | focal | * |
| Firefox | Ubuntu | groovy | * |
| Firefox | Ubuntu | hirsute | * |
| Firefox | Ubuntu | impish | * |
| Firefox | Ubuntu | jammy | * |
| Firefox | Ubuntu | kinetic | * |
| Firefox | Ubuntu | lunar | * |
| Firefox | Ubuntu | mantic | * |
| Firefox | Ubuntu | noble | * |
| Firefox | Ubuntu | trusty | * |
| Firefox | Ubuntu | upstream | * |
| Firefox | Ubuntu | xenial | * |
| Mozjs38 | Ubuntu | bionic | * |
| Mozjs38 | Ubuntu | esm-apps/bionic | * |
| Mozjs38 | Ubuntu | upstream | * |
| Mozjs52 | Ubuntu | bionic | * |
| Mozjs52 | Ubuntu | cosmic | * |
| Mozjs52 | Ubuntu | disco | * |
| Mozjs52 | Ubuntu | eoan | * |
| Mozjs52 | Ubuntu | esm-apps/focal | * |
| Mozjs52 | Ubuntu | esm-infra/bionic | * |
| Mozjs52 | Ubuntu | focal | * |
| Mozjs52 | Ubuntu | groovy | * |
| Mozjs52 | Ubuntu | upstream | * |
| Mozjs60 | Ubuntu | cosmic | * |
| Mozjs60 | Ubuntu | disco | * |
| Mozjs60 | Ubuntu | eoan | * |
| Mozjs60 | Ubuntu | upstream | * |
| Thunderbird | Ubuntu | bionic | * |
| Thunderbird | Ubuntu | cosmic | * |
| Thunderbird | Ubuntu | devel | * |
| Thunderbird | Ubuntu | disco | * |
| Thunderbird | Ubuntu | eoan | * |
| Thunderbird | Ubuntu | focal | * |
| Thunderbird | Ubuntu | groovy | * |
| Thunderbird | Ubuntu | hirsute | * |
| Thunderbird | Ubuntu | impish | * |
| Thunderbird | Ubuntu | jammy | * |
| Thunderbird | Ubuntu | kinetic | * |
| Thunderbird | Ubuntu | lunar | * |
| Thunderbird | Ubuntu | mantic | * |
| Thunderbird | Ubuntu | noble | * |
| Thunderbird | Ubuntu | trusty | * |
| Thunderbird | Ubuntu | upstream | * |
| Thunderbird | Ubuntu | xenial | * |
While assertion is good for catching logic errors and reducing the chances of reaching more serious vulnerability conditions, it can still lead to a denial of service. For example, if a server handles multiple simultaneous connections, and an assert() occurs in one single connection that causes all other connections to be dropped, this is a reachable assertion that leads to a denial of service.