Mozilla also fixed the second zero-day vulnerability in Firefox that was actively exploited. This patch addresses a vulnerability that allowed the sandbox to be abandoned, allowing code execution on affected computers, along with other vulnerabilities.
Vulnerability patch CVE-2019-11708 brings Firefox to version 67.0.4 and Firefox ESR to 60.7.2. Mozilla explains that the parameters for Prompt:Open messages were not sufficiently checked, allowing attackers to access web content without the restrictions of the sandbox.
Combined with the zero-day leak patched on Wednesday, this sandbox escape allowed attackers to execute arbitrary code on affected systems. Simply a web page with malicious code was enough to trigger a successful attack.
Employees of the cryptocurrency exchange Coinbase were attacked via the two vulnerabilities, the company discovered on Monday. Coinbase managed to repel the attack and notified Mozilla, reports the company’s chief information security officer, Philip Martin. Coinbase wouldn’t be the only cryptocurrency organization to have been attacked. The stock market will provide more details about the attack shortly.