Firefox Zero-Day Exploit Demonstrated at Pwn2Own Berlin Targeting SpiderMonkey JavaScript Engine

At Pwn2Own Berlin, researchers Eduardo Bojin and Tawan from Palo Alto Networks demonstrated a zero-day exploit against Firefox's SpiderMonkey JavaScript engine, targeting the Promise.allSettled function. The vulnerability involved an out-of-bounds (OOB) write caused by mutable indices in promise resolution, enabling remote code execution. Mozilla treated the disclosure as a security fire drill, reproducing the exploit in debug builds and confirming it affected versions older than six months. The team used tools like Bugzilla for tracking, VMs for validation, and bisection to trace the bug's origin, though the issue predated available preserved builds. The exploit, sold for $50,000, required extensive stability work due to garbage collection complexities on Windows. Mozilla's incident response included patch development, variant analysis, and coordination with Tor Browser's ESR (Extended Support Release) team. The fix process prioritized thoroughness over speed to avoid introducing new risks, especially ahead of Pwn2Own's second day.