When visiting the redirect web page, a malicious JavaScript script is executed that exploits a use-after-free reminiscence vulnerability within the Firefox animation timelines function. The flaw, now tracked as CVE-2024-9680, was patched on Oct. 9, at some point after the ESET researchers reported it to Mozilla. The vulnerability is rated important with a rating of 9.8 and ends in code execution contained in the Firefox content material course of, specifically a malicious DLL library on this case.
“Mozilla patched the vulnerability in Firefox 131.0.2, Firefox ESR 128.3.1, and Firefox ESR 115.16.1 on October 9, 2024,” the ESET researchers mentioned. “Basically, the tips to the animation objects dealt with by the timeline at the moment are carried out via reference-counting pointers (RefPtr), as recommended by the diff, which prevents the animations from being freed, since AnimationTimeline::Tick will nonetheless maintain a reference to them.”
A privilege escalation flaw in Home windows Job Scheduler
The Firefox content material course of is sandboxed, having an untrusted privilege degree, which implies that the attackers couldn’t execute code on the underlying working system with simply the Firefox vulnerability alone.
