CVE-2019-17026: 
NixOS vulnerability analysis and mitigation

CVE-2019-17026 is a critical type confusion vulnerability discovered in Mozilla Firefox's IonMonkey JavaScript Just-In-Time (JIT) compiler. The vulnerability was reported by Qihoo 360 ATA and affects Firefox ESR < 68.4.1, Thunderbird < 68.4.1, and Firefox < 72.0.1. The flaw stems from incorrect alias information in the IonMonkey JIT compiler for setting array elements (Mozilla Advisory, NVD).

The vulnerability exists in the IonMonkey JIT compiler, specifically related to StoreElementHole and FallibleStoreElement operations. The issue occurs due to incorrect alias information when setting array elements, which leads to a type confusion vulnerability. The vulnerability has a CVSS v3.1 Base Score of 8.8 (HIGH) with the vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD, Tenable).

The vulnerability could lead to type confusion, potentially allowing remote attackers to execute arbitrary code on affected systems. This is particularly severe as the vulnerability was actively exploited in targeted attacks in the wild (Mozilla Advisory, Tenable).

Mozilla addressed this vulnerability by releasing Firefox 72.0.1 and Firefox ESR 68.4.1. Users are strongly advised to upgrade to these versions or later to protect against this vulnerability. For Thunderbird users, while the vulnerability exists in the product, it cannot be exploited through email alone as scripting is disabled when reading mail, but it remains a potential risk in browser or browser-like contexts (Mozilla Advisory, Mozilla Advisory).