The bug was discovered by Gareth Heyes who blogged the issue with proof of concept code on Wednesday. By going public rather than reporting the issue to Mozilla, Heyes spurned the chance of a $3000 bug finders reward. Asked why, he replied, “I think Mozilla taking FF16 down is reward enough. Publicity LOL. 3K LOL.”
Heyes’ proof of concept is a mere 8 lines of Javascript, which could be installed on a website to affect visiting FF16 users.
Michael Coates announced the withdrawal of FF16 on Wednesday on the Mozilla Security Blog. “Mozilla is aware of a security vulnerability in the current release version of Firefox (version 16).” He said, “The vulnerability could allow a malicious site to potentially determine which websites users have visited and have access to the URL or URL parameters,” adding, “At this time we have no indication that this vulnerability is currently being exploited in the wild.”
Mozilla took the opportunity to fix two additional “crashing bugs in the browser engine used in Firefox and other Mozilla-based products” with the 16.0.1 release.
The speed with which Mozilla reacted, together with automatic Firefox updates makes it unlikely that any user could have been affected by the issue. If you use Firefox, however, it is worth checking that you are not using version 16.0.0