Security experts and even the U.S. government are urging Firefox users to update their browser as soon as possible this week to address a vulnerability, currently being exploited in the wild, that could let an attacker take control of an affected system.

The bug, a type confusion vulnerability (CVE-2019-11707) in Array.pop, a method that's used to add or remove JavaScript objects in Firefox, could allow an exploitable crash, Mozilla warned Tuesday. Firefox 67.0.3 and Firefox ESR 60.7.1, released this week, resolve the vulnerability.

In type confusion vulnerabilities wrong function pointers or data is passed to the wrong piece of code that can't verify the type of object its passed to.

Samuel Groß, a researcher at Google's Project Zero who's been a mainstay the last several years at Pwn2Own, the annual hacking competition, discovered the bug on April 15.

Groß said Wednesday on Twitter that the bug can be exploited for remote code execution but that an attacker would need a separate sandbox escape to do so.

It sounds as if that's exactly what happened earlier this week, nearly two months after Groß first reported the bug to Mozilla, when an attacker tried to exploit the vulnerability against employees at the cryptocurrency exchange Coinbase.

Philip Martin, Coinbase’s Chief Information Security Officer walked through the attack Wednesday night on Twitter, explaining that that the company detected and blocked an attempt on Monday by an attacker using the type confusion vulnerability (CVE-2019-11707) in tandem with a separate zero day Firefox sandbox escape to target employees.

1/ A little more context on the Firefox 0-day reports. On Monday, Coinbase detected & blocked an attempt by an attacker to leverage the reported 0-day, along with a separate 0-day firefox sandbox escape, to target Coinbase employees.

— Philip Martin (@SecurityGuyPhil) June 19, 2019

Mozilla addressed the second zero day, a sandbox escape the company marked as "high" impact, with a patch on Thursday.

Martin, who reported the attack to Mozilla, claims his team is still digging into the malware and infrastructure used in the attack but says he hasn't seen any evidence that the service's customers are being targeted.

After Martin posted a handful of indicators of compromise (IOC) on Twitter, Vitali Kremez, former Director of Research at Flashpoint, chimed in, acknowledging that the IOCs could be linked to a "powercat"-like stealer. Patrick Wardle, Chief Research Officer at Digita Security, and Nick Carr, a FireEye senior manager, also looked at IOCs provided by Martin and tied them to a new sample of the Mac malware OSX.NetWire.A.

Given the vulnerability is being exploited in the wild, even the U.S. government pressed users to update this week.

Officials with the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) urged users and administrators alike on Tuesday to apply the necessary updates.

Developers with the Tor Browser, which shares some of the same code with Firefox, are also encouraging users to apply a browser update it pushed this week. With that update, which brings the anonymity service to version 8.5.2, Tor also updated the NoScript addon, which comes bundled in, to version 10.6.3.

Time to update: There's a new version of Tor Browser available.

Tor Browser 8.5.2 fixes a critical security issue in Firefox and updates NoScript to 10.6.3. Full changelog: https://t.co/IPuCeNXO6t pic.twitter.com/6WjtfJynzM

— The Tor Project (@torproject) June 19, 2019