Skip to main content

Firefox Gets Emergency Patch to Stop Zero-Day Attacks

Mozilla has pushed out an emergency patch for the Firefox browser on all platforms, fixing a zero-day vulnerability that is being exploited in real-life attacks.

Credit: Mozilla

(Image credit: Mozilla)

"A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop," states a brief Firefox security advisory posted today (June 18) by Mozilla. "This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw."

The flaw, given the catalog number CVE-2019-11707, affects all currently supported versions of Firefox, which are Firefox 67.0 through 67.0.2, as well as Firefox ESR (Extended Support Release) 60.0 through 60.7.0, according to a Czech vulnerability database.

Firefox versions 57 through 66 are presumably vulnerable as well, though it's not yet clear whether versions 56 and earlier, which used different rendering and extensions technologies than the current Firefox browser, are also affected.

Users should update to Firefox 67.0.3 or Firefox ESR 60.7.1. On a Windows PC or a Mac, exiting the browser application and then reopening the application should prompt an update. Android and iOS apps will prompt you to update eventually, but you can update now by going to the Firefox page in either platform's app store. Linux users are at the mercy of their distributions.

Paul Wagenseil
Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. That's all he's going to tell you unless you meet him in person.