The bug was discovered by Samuel Groß of Google's Project Zero and the cryptocurrency site Coinbase.
Groß said on Twitter that the bug could be exploited for remote code execution, but it would then need a separate sandbox escape.
Philip Martin, a security engineer from Coinbase, said the company had detected and blocked an attempt by an attacker to use the bug, along with a separate zero-day Firefox sandbox escape, to target its employees.
4/ If you believe you have been impacted by this attack or you have more intel to share and want to collaborate with us on a response, please reach out to firstname.lastname@example.org. IOCs follow.— Philip Martin (@SecurityGuyPhil) June 19, 2019
"We walked back the entire attack, recovered and reported the 0-day to Firefox, pulled apart the malware and infra used in the attack and are working with various orgs to continue burning down attacker infrastructure and digging into the attacker involved," he said.
"We’ve seen no evidence of exploitation targeting customers. We were not the only crypto org targeted in this campaign. We are working to notify other orgs we believe were also targeted. We’re also releasing a set of IOCs that orgs can use to evaluate their potential exposure."
Groß said he had no details about the active exploitation claimed to be taking place.
I don't have any insights into the active exploitation part. I found and then reported the bug on April 15. The first public fix then landed about a week ago (sec fixes are held back until close to the next release): https://t.co/O34f9dou3E https://t.co/K6GfZN1XkH— Samuel Groß (@5aelo) June 19, 2019
The issue has been fixed in Firefox 67.0.3 and Firefox ESR 60.7.1.