According to Groß, hackers are able to exploit the bug for “Remote Control Execution“, or RCE, but it would only be effective under certain conditions.
RCE usually affords attackers complete control over a targeted web server. In this case, considering the contents of Mozilla’s patch notes, it seems major cryptocurrency exchange Coinbase has been targeted directly.
“However, most likely it can be exploited for [Universal Cross-Site Scripting(UXSS) attacks] which might be enough depending on the attacker’s goals,” Groß continued.
UXSS attacks often lead to loss of sensitive information, such as usernames, passwords, and other critical credentials.
So far, no specific details of how the bug has been exploited have been released. Hard Fork has reached out to Coinbase for more information, and will update this piece should we receive a reply.
Mozilla has now released a patch, and urged users to update their browsersas soon as possible.