Critical Firefox vulnerability fixed in 67.0.3

On Tuesday, Mozilla issued a security advisory for Firefox, the default web browser in Fedora. This advisory concerns a CVE for a vulnerability based on type confusion that can happen when JavaScript objects are being manipulated. It can be used to crash your browser. There are apparently already attacks in the wild that exploit the issue. Read on for more information, and how to protect your system against this flaw.

At the same time the security vulnerability was issued, Mozilla also released Firefox 67.0.3 (and ESR 60.7.1) to fix the issue.

Updating Firefox in Fedora

Firefox 67.0.3 (with the security fixes) has already been pushed to the stable Fedora repositories. The security fix will be applied to your system with your next update. You can also update the firefox package only by running the following command:

$ sudo dnf update --refresh firefox

This command requires you to have sudo setup. Note that not every Fedora mirrors syncs at the same rate. Community sites graciously donate space and bandwidth these mirrors to carry Fedora content. You may need to try again later if your selected mirror is still awaiting the latest update.

Fedora Project community


  1. Kamil

    Paul, please add “–refresh” to the command in the article. That’s how you increase probability that people hit the latest mirrors:

    $ sudo dnf update –refresh firefox

    • Thanks for the tip, I have made the edit 🙂

      • Danniello

        In command there is typo – not

        , it should be



        sudo dnf update --refresh firefox
        • Thanks for the pickup there too! WordPress sometimes autocompletes two hyphens in a row into an emdash automagically. This is now fixed too! Thanks!

  2. Martin Stransky

    Fedora 30 update is in stable now. Fedora 29 update is waiting for your karma:

  3. Vibol

    How about the flatpak version on the still in 66.0.1

  4. “On Friday” is supposed to say “On Tuesday”. Fedora shipped this update two days after Mozilla and not almost a full week later.

  5. Jan

    I know it is knitpicking, but the DNF man page states for “update”:

    Update Command
    dnf [options] update
    Deprecated alias for the Upgrade Command.

    While it still works, it may be worth to use “upgrade” in a guide like this to encourage to use it the way intended by the command.

Comments are Closed

The opinions expressed on this website are those of each author, not of the author's employer or of Red Hat. Fedora Magazine aspires to publish all content under a Creative Commons license but may not be able to do so in all cases. You are responsible for ensuring that you have the necessary permission to reuse any work on this site. The Fedora logo is a trademark of Red Hat, Inc. Terms and Conditions