---
licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0)
licence_link: https://creativecommons.org/licenses/by/4.0/
licence_restrictions: https://cert.europa.eu/legal-notice
licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies
title: 'Critical Vulnerability in Mozilla Firefox'
version: '1.0'
number: '2020-001'
date: 'January 10, 2020'
---

_History:_

* _10/01/2020 --- v1.0 -- Initial publication_

# Summary

A critical vulnerability affecting Mozilla Firefox has been been disclosed [1]. The vulnerability identified as CVE-2019-17026 allows attackers to write to and read from memory locations that are off-limits, and could lead to information disclosures, security bypass and crashes. This vulnerability is actively being exploited in the wild.

# Technical Details

This vulnerability is a _type confusion_ in the IonMonkey Just-in-Time (JIT) compiler for SpiderMonkey [2]. It could occur when a resource is accessed as a type that is different and incompatible with the original one. Depending on the type confusion, an attacker could disclose sensible information or cause crashes by accessing memory locations that are off-limits.

# Products Affected

This vulnerability actually affected the following products:

* Firefox prior 72.0.1
* Firefox ESR prior 68.4.1

# Recommendations

As this vulnerability is under active exploitation, it is highly recommended to update to the latest version of Firefox or Firefox ESR.

# References

[1] <https://www.mozilla.org/en-US/security/advisories/mfsa2020-03/>

[2] <https://www.tenable.com/blog/cve-2019-17026-zero-day-vulnerability-in-mozilla-firefox-exploited-in-targeted-attacks>