Firefox 72.0.1 fixes actively exploited IonMonkey vulnerability
Mozilla shipped Firefox 72.0.1 and ESR 68.4.1 to patch CVE-2019-17026, a type confusion bug in the IonMonkey JIT engine that was being exploited in the wild.
Executive briefing: On , Mozilla released Firefox 72.0.1 and Firefox ESR 68.4.1 to remediate CVE-2019-17026, a type confusion vulnerability in the IonMonkey JIT compiler's MCallGetProperty operation. Mozilla confirmed limited exploitation in the wild, raising urgency for desktop fleets that have not yet applied the update.
Operator action: Push the 72.0.1 update (or ESR 68.4.1 for managed environments) through enterprise patch channels, restart browsers to load the new engine, and verify add-ons remain compatible. Monitor endpoint detection and network telemetry for exploitation indicators tied to JavaScript JIT abuse.
Sources: Mozilla's advisory documents the flaw class, affected versions, and fixed builds; release notes reiterate the security-only update.