For anyone who is unable or unwilling to update, setting the following two values to 'false' in about:config should patch this:



I cannot 100% confirm this as I haven't found a PoC in the wild yet, however.

Be aware that this will disable two tiers of JS acceleration (JITting): The lowest level (BaselineJIT, introduced only recently) and the highest level (IonJIT for very hot code).

What does that even leave? The baseline interpreter?

Sorry, I had it partially wrong. Thereā€˜s the C++ Interpreter and the baseline interpreter (that one was added only recently[1]), and then the two JITs (BaselineJIT and IonMonkey). I understand that IonMonkey itself has two levels chosen depending on code hotness.

I.e. these settings will kill all JITs (so the highest 2-3 tiers) and leave the two interpreters.

[1] https://hacks.mozilla.org/2019/08/the-baseline-interpreter-a...

