Mozilla has released Firefox 74.0.1 and Firefox ESR 68.6.1 to fix two critical vulnerabilities which are being exploited in the wild by hackers. Both flaws allow a remote attacker to execute an arbitrary code and compromise a vulnerable system.
The bugs, tracked as CVE-2020-6819 and CVE-2020-6820, are use-after-free vulnerabilities with the first one caused by a race condition when running the nsDocShell destructor, and the second one exists due to a race condition when handling a ReadableStream.
The CVE-2020-6819 and CVE-2020-6820 flaws can be exploited by tricking a victim into visiting a maliciously crafted web site.
Mozilla did not share additional details about how these vulnerabilities were exploited, or who is behind the attacks. All users are encouraged to install the latest update as soon as possible.
This is a second zero-day vulnerability that Mozilla has fixed in Firefox this year. In January, the browser maker has released Firefox v72.0.1 to patch the CVE-2019-17026 bug exploited by an APT group known as DarkHotel.