CVE-2019-11747 in Firefox
Summary
by MITRE
The "Forget about this site" feature in the History pane is intended to remove all saved user data that indicates a user has visited a site. This includes removing any HTTP Strict Transport Security (HSTS) settings received from sites that use it. Due to a bug, sites on the pre-load list also have their HSTS setting removed. On the next visit to that site if the user specifies an http: URL rather than secure https: they will not be protected by the pre-loaded HSTS setting. After that visit the site's HSTS setting will be restored. This vulnerability affects Firefox < 69 and Firefox ESR < 68.1.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 08/09/2025
The vulnerability described in CVE-2019-11747 represents a critical security flaw in Firefox's handling of HTTP Strict Transport Security (HSTS) settings within its History pane functionality. This issue specifically targets the "Forget about this site" feature which is designed to completely remove all user data associated with a visited website, including HSTS configurations that enforce secure HTTPS connections. The flaw stems from an improper implementation where the system incorrectly removes HSTS settings not only from regular sites but also from those pre-loaded in Firefox's HSTS pre-load list, which are sites that have been specifically designated for mandatory HTTPS enforcement by the browser vendor.
The technical implementation error occurs when users interact with the History pane's "Forget about this site" functionality, which should selectively remove only the user-specific browsing data while preserving system-wide security configurations. However, due to this bug, sites that are part of Firefox's pre-loaded HSTS list have their security settings stripped away during the cleanup process. This creates a dangerous window where users who subsequently visit these sites using HTTP URLs instead of HTTPS will not benefit from the mandatory HSTS protection that should be enforced by the browser's pre-load list. The vulnerability essentially undermines the security model that ensures automatic protection for high-value targets that are pre-loaded with HSTS settings.
The operational impact of this vulnerability is significant as it creates a temporary security gap that can be exploited by attackers who might redirect users to insecure HTTP versions of pre-loaded HSTS sites. This represents a deviation from the expected security behavior where pre-loaded sites should maintain their HSTS protections regardless of user history or browsing behavior. The vulnerability affects Firefox versions prior to 69 and Firefox ESR versions prior to 68.1, indicating that users operating these older versions are exposed to potential man-in-the-middle attacks or session hijacking scenarios where the automatic HTTPS enforcement is bypassed. This issue directly relates to CWE-284, which addresses improper access control, and can be categorized under ATT&CK technique T1185 for "Man in the Middle" attacks that exploit transport layer security weaknesses.
The security implications extend beyond simple data exposure, as this vulnerability can facilitate more sophisticated attacks that leverage the temporary removal of HSTS protections. When a user clears their browsing history for a pre-loaded site, they inadvertently create a window where that site becomes vulnerable to downgrade attacks. The restoration of HSTS settings after the next visit to the site provides only partial protection, as the initial exposure period could allow attackers to capture session tokens, credentials, or other sensitive information. This vulnerability highlights the importance of maintaining consistent security policies across all browser components and demonstrates how seemingly minor functionality bugs can create substantial security risks. Users should immediately upgrade to Firefox 69 or Firefox ESR 68.1 to ensure that their browsers maintain proper HSTS pre-load list enforcement and prevent exploitation of this security gap that undermines the fundamental HTTPS security model implemented by modern browsers.