Firefox patches zero-day security flaw days after Chrome fixes the same issue
A bug similar to one recently found in Google Chrome was also spotted in Firefox and subsequently fixed.
- Kaspersky recently uncovered a zero-day vulnerability in Google Chrome
- Mozilla now says it has found a similar issue in Firefox
- The bug was used to target Russian targets in a cyber-espionage campaign
A worrying security flaw, similar to the Chrome zero-day issue recently spotted and patched by Google, has now been discovered, and remedied, in the Firefox browser.
In a security advisory published on March 27, 2025, Mozilla said after the discovery of the Chrome sandbox escape vulnerability, “various Firefox developers” found a similar pattern in the browser’s IPC code.
“A compromised child process could cause the parent process to return an unintentionally powerful handle, leading to a sandbox escape,” Mozilla explained. Escaping the sandbox is one of the browser’s “primary security defenses,” reports CyberInsider.
Monitor your credit score with TransUnion starting at $29.95/month
TransUnion is a credit monitoring service that helps you stay on top of your financial health. With real-time alerts, credit score tracking, and identity theft protection, it ensures you never miss important changes. You'll benefit from a customizable online interface with clear insights into your credit profile. Businesses also benefit from TransUnion’s advanced risk assessment tools.
Preferred partner (What does this mean?)View Deal
Patching the bug
A sandbox in a web browser is a security mechanism that isolates running web content (such as JavaScript, plugins, or iframes) from the rest of the system.
The goal is to prevent potentially malicious websites or scripts from accessing sensitive user data, modifying system files, or interfering with other applications.
By “escaping the sandbox”, cybercriminals could have malware run on the target computer through the browser.
A patch has been released, and Firefox users are advised to update their browsers to versions Firefox 136.0.4, Firefox ESR 128.8.1, Firefox ESR 115.21.1 to mitigate the issue. Mozilla also added that the bug affects Firefox on Windows, and that other operating systems are unaffected.
It stressed that the Chrome bug was being exploited in the wild, suggesting that the Firefox one remained hidden.
Chrome’s original vulnerability is tracked as CVE-2025-2783, while the Firefox one is being tracked as CVE-2025-2857. No severity score has yet been assigned.
Nor Google, nor Mozilla, discussed the threat actors or the victims. However, researchers from Kaspersky (who originally found the bug) said that the flaw was used to target people in Russia.
The campaign involved phishing, redirecting victims to primakovreadings[dot]info. The entire campaign was dubbed Operation ForumTroll and apparently, the goal is to conduct cyber-espionage.
You might also like
- Google Chrome security flaw could have let hackers spy on all your online habits
- We've rounded up the best password managers
- Take a look at our guide to the best authenticator app
