User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0 Build ID: 20161114144739 Steps to reproduce: A message was just sent to the public tor-talk mailing list containing purported exploit PoC code for a remote code execution vulnerability in Tor Browser. The code is fairly detailed which made me doubt that it was a hoax, although it could conceivably be related to something that's already known or fixed upstream in Firefox. The message claims that the vulnerability is being exploited in the wild. The vulnerability appears to relate somehow to SVG animations. The message in question appears at https://lists.torproject.org/pipermail/tor-talk/2016-November/042639.html I've also written to security@mozilla.org about this.

This is already being tracked in bug 1321066.

(Thanks for the report, in any case! Good to have security bugs reported/tracked ASAP.)

Thanks! I also got a reply by e-mail from the security list and saw a follow-up on tor-talk indicating that it was previously reported to Mozilla. I'm happy to know that Mozilla is already on top of it.

(In reply to Seth Schoen from comment #4) > I'm happy to know that Mozilla is already on top of it. Only because someone like you reported it to us -- so thanks again for doing that.