Thanks to @coinbase I've had a chance to look at the in-the-wild exploit for the recent Firefox 0day (the RCE) that they caught. Tl;dr: it looks a lot like a bug collision between Fuzzilli and someone manually auditing for bugs. My notes:

My report for the bug is now public: bugs.chromium.org/p/project-zero…. This PoC directly turns the bug into type confusions, the exploit technique is then basically phrack.org/papers/jit_exp…

The itw exploit however abuses the bug as a side-effect issue (a popular JIT bug: saelo.github.io/presentations/…), turns that into an OOB read, then a type confusion. With that the bug is basically a variant of CVE-2019-9810 ( github.com/xuechiyaobai/C…). Thanks @_niklasb for the reference

A fuzzer would likely have a hard time triggering the bug that way. Fuzzilli found a simpler case that triggered another aspect of the issue, not involving side effects, which is also easier and a bit more reliable to exploit (doesn't involve heap manipulation)

According to objective-see.com/blog/blog_0x43… it seems the bug was already exploited before the fix became public on Jun 6th (hg.mozilla.org/integration/au…). Also, imo it would be quite difficult to construct a PoC from the bugfix alone

So all in all this looks like a bug collision (not a 1day constructed from the bugfix, not a leak from any of the bug trackers). My guess is that someone was looking for that bug pattern or even specifically for a variant of CVE-2019-8910 and found the bug that way

@_niklasb Just to clarify (hope that's not necessary though...): github.com/xuechiyaobai/C… doesn't have anything to do with this exploit, it's just one of multiple public PoCs for a similar bug in Firefox. Other PoC e.g. github.com/0vercl0k/CVE-2… (same goes for it of course)