New Firefox Vulnerability Could Have Been Used to Attack Tor Users

A recently patched vulnerability in Firefox, CVE-2024-9680, may have been exploited to target users of the Tor Browser. The issue, discovered by ESET specialist Damien Schaeffer, was a use-after-free bug in Animation timelines—a component of the Firefox Web Animations API responsible for managing and synchronizing animations on web pages.

Mozilla released an emergency patch and warned that the vulnerability could allow an attacker to execute arbitrary code while processing web content. At the time, no further details were provided about the bug or any attacks exploiting it.

The vulnerability was fixed in the following browser versions:

• Firefox 131.0.2
• Firefox ESR 115.16.1
• Firefox ESR 128.3.1

According to Mozilla, ESET provided them with a “live” exploit for CVE-2024-9680 that had been used by hackers in real-world attacks. “The sample sent to us by ESET contained a full exploit chain that allowed remote code execution on the user’s computer,” Mozilla developers reported.

Mozilla assembled a team to reverse-engineer the exploit and understand its workings, and within a day, they released an emergency patch. The organization emphasized that they will continue analyzing the exploit to develop additional security measures for Firefox.

Impact on Tor Browser Users

Around the same time, Tor developers reported that, according to Mozilla, this vulnerability was actively used in attacks against Tor Browser users. “By exploiting this vulnerability, an attacker could gain control over the Tor Browser, but would likely not be able to deanonymize you in Tails,” the statement read.

However, the blog post was later edited, and Tor Project representatives clarified that they have no evidence that Tor Browser users were deliberately targeted with CVE-2024-9680. Nevertheless, the bug did affect the Tor Browser, which is based on Firefox, and developers stress that the issue has been resolved in Tor Browser versions 13.5.7, 13.5.8 (for Android), and 14.0a9.