Mozilla has released a patch for Firefox 72 and Firefox ESR 68.4 to address a zero-day flaw within IonMonkey, Firefox’s JavaScript JIT compiler. According to the security advisory, the bug is currently being used in the wild so it’s very important that you apply the latest updates that have been made available.
According to the Cybersecurity and Infrastructure Security Agency (CISA), the exploit could be used to take control of an affected system. Its guidance for users to review Mozilla’s security advisory and apply the necessary updates to affected versions of Firefox. It’s not clear which was the first version of Firefox to be affected by this but as it affects Firefox 68.4 then there’s a good chance the error has been present in the code for months.
More information on the bug is not available at the time of writing. The bug which has been referenced in the advisory is inaccessible to visitors without the appropriate permissions; this measure will have been taken to protect users from malicious actors who would want to appropriate information in order to develop an exploit to use against targets.
Firefox usually updates itself in a timely manner on Windows and macOS, however, if you’d like to apply the patch manually press the menu button, go to Help, and then select About Firefox. The About Mozilla Firefox window will open and the update will download and you’ll be prompted to restart your browser to apply the update. If you’re on Linux, this method typically won’t work and you’ll need to wait until the repositories have been updated with the new software which usually shouldn’t take too long.