A compromised IPC child process can escape the content sandbox and list the names of arbitrary files on the file system without user consent or interaction. This could result in exposure of private local files. This vulnerability affects Thunderbird < 60, Thunderbird < 52.9, Firefox ESR < 60.1, Firefox ESR < 52.9, and Firefox < 61.
http://www.securityfocus.com/bid/104560
http://www.securitytracker.com/id/1041193
https://access.redhat.com/errata/RHSA-2018:2112
https://access.redhat.com/errata/RHSA-2018:2113
https://access.redhat.com/errata/RHSA-2018:2251
https://access.redhat.com/errata/RHSA-2018:2252
https://bugzilla.mozilla.org/show_bug.cgi?id=1459206
https://lists.debian.org/debian-lts-announce/2018/06/msg00014.html
https://lists.debian.org/debian-lts-announce/2018/07/msg00013.html
https://security.gentoo.org/glsa/201810-01
https://security.gentoo.org/glsa/201811-13
https://usn.ubuntu.com/3705-1/
https://usn.ubuntu.com/3714-1/
https://www.debian.org/security/2018/dsa-4235
https://www.debian.org/security/2018/dsa-4244
https://www.mozilla.org/security/advisories/mfsa2018-15/
https://www.mozilla.org/security/advisories/mfsa2018-16/
https://www.mozilla.org/security/advisories/mfsa2018-17/
Source: MITRE
Published: 2018-10-18
Updated: 2018-12-03
Type: CWE-200
Base Score: 4.3
Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N
Impact Score: 2.9
Exploitability Score: 8.6
Severity: MEDIUM
Base Score: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Impact Score: 3.6
Exploitability Score: 2.8
Severity: MEDIUM