Mozilla has swiftly addressed a newly discovered zero-day vulnerability with the release of Firefox 131.0.2 on October 12, 2024. This marks the first zero-day vulnerability found in Firefox this year. The flaw, designated as CVE-2024-9680, is a use-after-free (UAF) issue related to CSS animations. Exploiting this vulnerability could allow attackers to execute arbitrary malicious code, posing a significant risk to users. The vulnerability was identified by ESET researcher Damien Schaeffer, although Mozilla has chosen to remain tight-lipped about the specifics of the ongoing attacks and their scale.
Firefox users generally benefit from automatic updates, but for those who haven’t yet updated to version 131.0.2, they can manually trigger an update through the Help > About Firefox menu. In tandem with this update, Mozilla also released security patches for the two Extended Support Release (ESR) versions of Firefox and the Tor Browser, namely Firefox ESR 115.16.1, Firefox ESR 128.3.1, and Tor Browser 13.5.7. The Tor Browser, which is based on Firefox ESR 115.16, has integrated the fix for CVE-2024-9680, ensuring users have the necessary security after updating.