UPDATE

Mozilla has fixed a high-severity vulnerability in its Firefox browser being actively exploited in the wild.

The vulnerability (CVE-2019-11708) is separate from a critical flaw under active attack that was patched earlier this week (CVE-2019-11707). However, both vulnerabilities were discovered by Coinbase Security, who said that the flaws were being used in active spear phishing attacks targeting Coinbase employees.

The high-severity sandbox-escape flaw stems from insufficient vetting of “Prompt:Open” inter process communication (IPC) messages, which are passed between different processes on the browser. The flaw “can result in the non-sandboxed parent process opening web content chosen by a compromised child process,” according to Mozilla’s advisory.

“When combined with additional vulnerabilities this could result in executing arbitrary code on the user’s computer,” according to Mozilla.

Mozilla said that Firefox 67.0.4 and Firefox ESR 60.7.2 fix the issue.

Coinbase chief information security officer Philip Martin said on Twitter, Wednesday, that Coinbase had spotted both this high-severity flaw, as well as the critical flaw patched earlier this week, being exploited by an attacker who was targeting Coinbase employees.

Martin said he has seen no evidence of attacks targeting Coinbase customers – and that Coinbase was not the only cryptocurrency organization targeted in the campaign.

3/ We’ve seen no evidence of exploitation targeting customers. We were not the only crypto org targeted in this campaign. We are working to notify other orgs we believe were also targeted. We’re also releasing a set of IOCs that orgs can use to evaluate their potential exposure. — Philip Martin (@SecurityGuyPhil) June 19, 2019

“We walked back the entire attack, recovered and reported the 0-day to firefox, pulled apart the malware and infra used in the attack and are working with various orgs to continue burning down attacker infrastructure and digging into the attacker involved,” he said on Twitter.

Martin said that a more detailed analysis will be released next week.

The critical flaw patched earlier this week (CVE-2019-11707) is a type confusion vulnerability in the Array.pop, which is an array method that is used in JavaScript objects in Firefox. The vulnerability, under active attack, enables bad actors to take full control of systems running the vulnerable Firefox versions.

Tor Browser also updated to version 8.5.2 in response to the critical Firefox flaw (The issue affects Tor, since, as its founders said back in 2016, Firefox is at the heart of the privacy-focused onion browser).

“On Monday, June 17, 2019, Coinbase reported a vulnerability used as part of targeted attacks for a spear phishing campaign,” Selena Deckelmann, senior director of Firefox Browser Engineering, told Threatpost. “In less than 24 hours, we released a fix for the exploit.”

This article was updated on June 26 at 8am to reflect the correct CVE for the vulnerability, CVE-2019-11708 (not CVE-2019-11709).