Mozilla Fixes a Firefox Zero-Day Vulnerability That’s Already Under Active Exploitation

By Bill Toulas / June 19, 2019

Mozilla urges users of Firefox to update their browser immediately to versions 67.0.3 and ESR (Extended Support Release) 60.7.1 which were released earlier today, and fix a severe zero-day vulnerability that has already been under active exploitation for quite a while. The particular flaw concerns the capability of manipulating JavaScript objects in Array.pop, resulting in an exploitable crash. The zero-day flaw was discovered by Samuel Groß, who belongs to one of the most active security teams, Google’s Project Zero. The Coinbase Security team also took credit, and the particular flaw was given the identifier 'CVE-2019-11707.'

According to further details that were provided by Groß to ZDNet, the exploit can occur through remote code execution (RCE) in combination with sandbox escape moves that would open the door to running malicious code on the operating system that the browser is running on. However, Groß clarified that this scenario is not very likely, as the vast majority of the exploitation of the particular flaw would happen through UXSS (universal cross-site scripting), a method that should cover most of the attackers’ needs. Possibly, these attacks target cryptocurrency owners, which is where Coinbase comes into play.

Coinbase has not published a relevant blog post on the matter, nor have they answered to any requests for comment yet, so the technical details and the actual scope of the exploitation process and potential have not been defined. What has been determined is the date of the disclosure of the zero-day flaw to Mozilla, which was back on April 15, so this fix didn't come very quickly considering the criticality and the risks that cryptocurrency owners had to take for over a full month. Firefox is generally a reliable browser, and the last time they had to fix a zero-day vulnerability was in December 2016. After all, Tor, which is the defacto choice for many cryptocurrency users, is basically a patched version of ESR Firefox.

Without further ado, if you’re using Firefox, you should update your browser immediately. While Mozilla hasn’t released too many technical details or a proof-of-concept example for this vulnerability, it is already being exploited in the wild so attackers know how to do the trick. The only categories of users who don’t need to worry about the particular zero-day flaw are those using Firefox on Android, iOS, and Amazon Fire TV.

Do you trust Firefox, or do you prefer a different browser? Let us know of your choice in the comments down below, and help us spread the word of warning by sharing this post through our socials, on Facebook and Twitter.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: