Firefox Zero-Day Under Attack: Update Your Browser Immediately

Mozilla has revealed that a critical security flaw impacting Firefox and Firefox Extended Support Release (ESR) has come under active exploitation in the wild.
The vulnerability, tracked as CVE-2024-9680, has been described as a use-after-free bug in the Animation timeline component.
"An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines," Mozilla said in a Wednesday advisory.
"We have had reports of this vulnerability being exploited in the wild."
Security researcher Damien Schaeffer from Slovakian company ESET has been credited with discovering and reporting the vulnerability.
The issue has been addressed in the following versions of the web browser
- Firefox 131.0.2
- Firefox ESR 128.3.1, and
- Firefox ESR 115.16.1.
There are currently no details on how the vulnerability is being exploited and the identity of the threat actor behind them.
That said, such remote code execution vulnerabilities could be weaponized in several ways, either as part of a watering hole attack targeting specific websites or by means of a drive-by download campaign that tricks users into visiting bogus websites.
Users are advised to update to the latest version to stay protected against active threats.
Internet Archive hacked, data breach impacts 31 million users
CISA Warns of Critical Fortinet Flaw as Palo Alto and Cisco Issue Urgent Security Patches
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2018-19410 Paessler PRTG Network Monitor Local File Inclusion Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2018-8639 Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerability
CVE-2025-0111 Palo Alto Networks PAN-OS File Read Vulnerability
CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
CVE-2024-50302 Linux Kernel Use of Uninitialized Resource Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
InformationalSession Management Response Identified
InformationalSec-Fetch-User Header Has an Invalid Value
HighPath Traversal
Medium.env Information Leak
InformationalBase64 Disclosure in WebSocket message
HighPath Traversal
HighSQL Injection
Free online web security scanner