Firefox users should install an immediate patch, after with two critical bugs discovered that are reportedly being exploited by attackers.
The first is due to a use-after-free memory corruption issue in the Extensible Stylesheets Language Transformations (XSLT) feature, in which removing a parameter during processing could trigger an exploitable bug.
A second memory corruption bug in the WebGPU graphics acceleration feature could also trigger a use-after-free condition, and be used to escape the sandbox system protection feature in Firefox.
Mozilla has issued updated versions of Firefox, including 97.0.2, ESR 91.6.1, Android 97.3
and its privacy-oriented Focus 97.3 web browser, that handles the vulnerabilities.
In both cases, the bugs were reported to Mozilla by researchers from China-based 360 ATA.
Mozilla did not disclose further details on the reported attacks.