Mozilla is working to develop a fix for Firefox bugs that are being exploited by scammers who pose as tech support staff.
The attacks were first spotted by Jérôme Segura of Malwarebytes. In a Twitter post, Segura says the bug, which has the bug ID 1438214, is actively being exploited in the wild.
Even more, Segura told SecurityWeek that he informed Firefox of this bug two years ago.
When users visit sites set up by the malicious actors, the vulnerability allows these scammers to “freeze the browser by exploiting the download blog API so that it consumes all CPU resources.”
Segura also discovered another vulnerability that’s also being exploited.
This newer vulnerability, which Firefox has known about for at least three months, “abuses notifications by perpetually asking users for the same authorization.”
In response, Firefox is expected to fix both vulnerabilities in the Firefox 71 update set for a Dec. 3 release.