Mozilla has disclosed a critical security vulnerability, tracked as CVE-2024-9680, that is being actively exploited in the wild. The vulnerability, with a CVSS score of 9.8, is a use-after-free bug in the Animation timeline component of Firefox and Firefox Extended Support Release (ESR).
According to Mozilla, an attacker was able to achieve code execution in the content process by exploiting this vulnerability. The issue has been addressed in the latest versions of the web browser, including Firefox 131.0.2, Firefox ESR 128.3.1, and Firefox ESR 115.16.1. Security researcher Damien Schaeffer from ESET was credited with discovering and reporting the vulnerability.
The Tor project has also released an emergency update to the Tor Browser (version 13.5.7) to address CVE-2024-9680, as it has been used in attacks against Tor Browser users. While the details of the real-world exploitation are not yet known, such remote code execution vulnerabilities can be weaponized in various ways, such as through watering hole attacks or drive-by download campaigns. Users are strongly advised to update their browsers to the latest versions to protect against these active threats.
