CVE-2019-9812
CRITICAL
9.3
Our Analysis: General Purpose
Our model has classified this vulnerability as relevant to General Purpose Systems, helping your team prioritize efforts effectively.
Published Date
January 8, 2020
Last Modified
November 25, 2025
CVSS Vector
Not Available
Description
Given a compromised sandboxed content process due to a separate vulnerability, it is possible to escape that sandbox by loading accounts.firefox.com in that process and forcing a log-in to a malicious Firefox Sync account. Preference settings that disable the sandbox are then synchronized to the local machine and the compromised browser would restart without the sandbox if a crash is triggered. This vulnerability affects Firefox ESR < 60.9, Firefox ESR < 68.1, and Firefox < 69.