Mozilla has discovered that a critical security flaw affecting Firefox and Firefox Extended Support Release (ESR) is being actively exploited in the wild.
The vulnerability, tracked as CVE-2024-9680, was described as a use-after-free bug in the animation timeline component.
“An attacker was able to cause code execution in the content process by exploiting ‘use-after-free’ in animation timelines”, Mozilla said in consultation on Wednesday.
“We have had reports of this vulnerability being exploited in the wild.”
Security researcher Damien Schaeffer of Slovakian company ESET is credited with discovering and reporting the vulnerability.
The issue has been resolved in subsequent versions of the web browser
- Firefox 131.0.2
- Firefox ESR 128.3.1 and
- Firefox ESR 115.16.1.
Currently, there are no details on how this vulnerability is used in actual attacks and who is behind them.
However, such remote code execution vulnerabilities can be exploited in several ways, either as part of watering hole attack targeting specific websites or using a drive to download a company that tricks users into visiting fake websites.
Users are advised to update to the latest version to stay protected from active threats.
