Did you notice your Firefox browser prompting you to update it? It’s because Mozilla just released an emergency patch addressing CVE-2019-11707, an actively exploited critical security vulnerability.
This means that your Firefox browser needs to be patched immediately so that you avoid attacks. According to the official documentation, security vulnerabilities have been fixed in Firefox 67.0.3 and Firefox ESR 60.7.1.
CVE-2019-11707: Type Confusion in Array.pop Fixed
There isn’t much information about the attacks based on CVE-2019-11707. According to rumors, the bug can be used for stealing cryptocurrency but Mozilla hasn’t confirmed. More details may be released in the upcoming days.
It’s important to note that CVE-2019-11707 was discovered by Samuel Groß, researcher at Google Project Zero, and Coinbase Security.
In a conversation with ZDNet, the researcher said that “the bug can be exploited for RCE [remote code execution] but would then need a separate sandbox escape” in order to run code on an underlying operating system.
However, it’s very likely that it can be exploited for UXSS [universal cross-site scripting] attacks depending on the attacker’s goals.
The critical bug exists in Firefox versions higher than 67.0.3. Users must install the latest release of the browser to be protected. Firefox ESR users need version 60.7.1. The good news is that Mozilla has initiated the automatic rollout of the fix using its browser’s built-in update mechanism. Keep in mind that you need to restart the browser for the patch to be applied.