Mozilla has released Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0, and Focus 97.3.0 to fix two critical zero-day vulnerabilities actively exploited in attacks. Both zero-day vulnerabilities are “Use-after-free” bugs, which is when a program tries to use memory that has been previously cleared. When threat actors exploit this type of bug, it can cause the program to crash while at the same time allowing commands to be executed on the device without permission.
While Mozilla has not shared how threat actors use these zero-day vulnerabilities in attacks, it was likely done by redirecting Firefox users to maliciously crafted web pages. These vulnerabilities were discovered and disclosed to Mozilla by Chinese cybersecurity company Qihoo 360 ATA. Due to the critical nature of these bugs, and they are being actively exploited, it is strongly recommended that all Firefox users update their browsers immediately.