Firefox version 57, otherwise known as Firefox Quantum, has done wonderful things to help get Mozilla’s open-source web browser back in shape, but along the way, the company has made a few mistakes. One of the biggest of Mozilla’s recent flubs was an exploit hidden in Firefox’s user interface code that made it possible to for an attacker to run unsanitised HTML on a user’s computer.
Thankfully, the issue has been patched in the latest update for Firefox (version 58.0.1), but essentially the exploit took advantage of Firefox’s Chrome UI component (unrelated to Google’s web browser of the same name), which was not properly sandboxed, allowing potentially malicious code to make its way over to the browser itself and run commands there or on the host computer. As Bleeping Computer notes, the “Chrome UI” term refers to Firefox’s user interface design elements, like “menu bars, progress bars, window title bars, toolbars, or UI elements created by add-ons.”
Any code run this way was restricted by a user’s system privileges, which means damage was somewhat limited on regular accounts. However, if you were using an admin-level account, it’s possible that any problematic code could have affected the entire computer without the user ever knowing.
The security hole was present in the past three major iterations of Firefox, versions 56, 57, and 58, so if you haven’t updated your browser, you should really go do that now—especially since the flaw has been labeled with a “critical” impact level by Mozilla’s own security advisory. [Bleeping Computer]