A critical vulnerability has been discovered in Mozilla’s Firefox and Firefox Extended Support Release (ESR) browsers, which is currently being exploited by attackers.
Designated as CVE-2024-9680, this severe flaw (with a CVSS score of 9.8) stems from a use-after-free error within the browser’s Animation timeline component.
According to Mozilla, "The vulnerability enabled attackers to execute arbitrary code within the content process by leveraging the use-after-free issue in Animation timelines." This security flaw is already being targeted in the wild, as confirmed by recent reports.
The vulnerability was first uncovered and reported by Damien Schaeffer, a security researcher at the Slovak cybersecurity company, ESET.
Mozilla has since released patches to resolve the issue in the following browser versions:
- Firefox 131.0.2
- Firefox ESR 128.3.1
- Firefox ESR 115.16.1
At this time, specific details regarding the exploitation method or the individuals behind the attacks remain undisclosed. However, vulnerabilities like this, which allow for remote code execution, are often used in various types of attacks, such as compromising legitimate websites (watering hole attacks) or tricking users into visiting malicious sites through drive-by downloads.
Users are strongly encouraged to update their Firefox browsers to the latest versions immediately to safeguard against potential risks.
