CVE-2019-11358 is an XSS risk for $.extend(true, {}, …) if passed an unsanitized source object, it could overwrite Object.prototype and so let arbitrary code be written.
I think that anyone able to do that on our wikis has to be an interface-admin already, so it's not necessarily relevant to us (as they could just write bad code directly into Common.js). Possibly this would allow a metawiki interface-admin to compromise e.g. enwiki code if they're doing a cross-wiki object request?
See-also: CVE-2019-5428 (seemingly we have a duplicate)
Fixed in 3.4.0