Mozilla said on Wednesday that it patched a zero-day vulnerability in the Firefox browser that could have allowed hackers to take over target systems. The patch is available in the Firefox 72.0.1 and Firefox ESR 68.4.1 updates released yesterday.
The organization explained that "incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion." Attackers could exploit that issue to gain access to, and control over, systems running Firefox.
Mozilla and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) both said that attackers have exploited this vulnerability in the wild. That's why CISA advised all Firefox users to "apply the necessary updates" in its own advisory.
The vulnerability was assigned the CVE-2019-17026 identifier for the National Vulnerability Database, which is maintained by the U.S. National Institute of Standards and Technology (NIST), but it's not currently available via NIST's website.
Aside from those few details, the only thing Mozilla revealed about the vulnerability was that it was disclosed by Qihoo 360, a Chinese security company. Hopefully more information will be shared following the vulnerability's initial disclosure.
Firefox 72.0.1 and Firefox ESR 68.4.1 can be downloaded via Mozilla's website. People who use the browser can also update it by clicking the "About Firefox" option in the Help (Windows) and Firefox (macOS) section of the menu bar.
