Firefox is the underlying browser for the TOR Project's anonymising TorBrowser.
The 2013 exploit caused memory corruption and executed attack code that would find a TOR user's real IP address and network adapter MAC identifier, and relay it back to a server.
It was the work of the United States Federal Bureau of Investigation, which was targeting TOR users who accessed child pornography.
Computer scientist and TOR Project co-founder Roger Dingledine said the vulnerability had been confirmed by Mozilla security engineeer Daniel Veditz, and the firm was working on a fix.
The flaw is believed to affect multiple Windows versions of Firefox as far back as version 41, and up to version 50 of the open source web browser.
Update: The TOR Project has updated its TorBrowser with a fix for the vulnerability. Users are advised to update to version 6.0.7 of TorBrowser as the vulnerability is actively exploited on Windows, TOR Project developer Georg Koppen said.
He advised Apple macOS / OS X and Linux users to also upgrade their browsers, as the bug affects the anonymising software running on those operating systems as well. But Koppen said there was no current indication that the bug has been exploited on Apple macOS / OS X or Linux.
The fix for the vulnerability will be rolled out to Firefox users automatically over the next 24 hours, a Mozilla spokesperson told iTnews.
Firefox users who wish to update their browsers immediately can download the fixed version.