Mozilla this week released Firefox 69 in the stable channel with patches for 20 vulnerabilities, including one code execution bug rated Critical severity.
The issue resides in the fact that, when Firefox is launched by another program, logging-related command line parameters are not properly sanitized. This would normally happen when the user clicks on a link in a chat application, for example.
An attacker looking to exploit the vulnerability could create malicious links that would be used to write a log file to an arbitrary location, such as the Windows ‘Startup’ folder. Tracked as CVE-2019-11751, the vulnerability only affects Firefox on Windows operating systems.