Update Firefox now! Zero-day found in the wild
The bug affects both Firefox and its enterprise counterpart, Extended Support Release (ESR). According to Mozilla’s advisory:
array object to contain a collection of data items.
pop is a command that they can use to remove the last element of an array.
A type confusion vulnerability happens when a program doesn’t check the type of a data item that is passed to it. It might assume it’s getting a number, for example, when it actually gets a string. If it doesn’t check, then it can mishandle the data item, potentially destabilising its code.
In this case, the effect is catastrophic, the advisory warned:
This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw.