A major security flaw has been discovered in Mozilla’s Firefox web browser that could potentially compromise users’ sensitive files and upload them to servers in Ukraine.
 |
| Firefox |
A Firefox user found an advertisement on a news site in Russia which was serving the Firefox exploit.
The company explains in its blog that the bug comes from the interaction of the mechanism that enforces JavaScript context separation (the “same origin policy”) and Firefox’s PDF Viewer. Mozilla’s products that don’t contain the PDF Viewer, such as Firefox for Android, are not vulnerable to the threat.
The security flaw does not enable execution of arbitrary code but allow injecting a JavaScript payload into the local file context; allowing for search and upload potentially sensitive local files.
The particular ad in question was looking for develop focused files on a users’ system. It affects both Windows and Linux users, but Mac users are not targeted by this particular exploit. The bug could potentially change passwords and keys in the developer focused files. Those who use ad-blocking software and special filters might have been protected too.
The company has issued a patch for the vulnerability and all Firefox users are suggested to update to Firefox 39.0.3. The fix has also been shipped in Firefox ESR 38.1.1.