Skip to main content [aditude-amp id="stickyleaderboard" targeting='{"env":"staging","page_type":"article","post_id":1781888,"post_type":"story","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"business,security,","session":"A"}']

Firefox security glitch exploited by malicious ad that could steal users’ local files

Firefox -- Mozilla

Image Credit: Paul Sawers / VentureBeat

Heads up, Firefox users — Mozilla is urging you to update your browser post-haste, after a rogue advertisement on a Russian news site was found to be exploiting a vulnerability that compromised Firefox users’ local files.

“The vulnerability comes from the interaction of the mechanism that enforces JavaScript context separation (the “same origin policy”) and Firefox’s PDF Viewer,” explained Mozilla’s security head, Daniel Veditz, in a blog post.

[aditude-amp id="flyingcarpet" targeting='{"env":"staging","page_type":"article","post_id":1781888,"post_type":"story","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"business,security,","session":"A"}']

In effect, the attacker was able to circumvent Firefox’s security and inject a malicious script that searched for key files on a user’s machine and then uploaded them to a remote server, thought to be located in the Ukraine. This would’ve applied to anyone loading the page with the exploit on it — and the exploit left no trace, according to Mozilla.

The issue was reported on Wednesday, August 5, with a security update issued yesterday. While Mozilla says only Windows and Linux users were apparently targeted, the malware could easily be adapted for Mac users too — so everyone is encouraged to update to the latest version.

AI Weekly

The must-read newsletter for AI and Big Data industry written by Khari Johnson, Kyle Wiggers, and Seth Colaner.

Included with VentureBeat Insider and VentureBeat VIP memberships.

Even if you haven’t visited the Russian news site in question, it’s not known whether the ad has been deployed elsewhere. Firefox for Android, and other Mozilla products that don’t sport the built-in PDF Viewer, are not affected.

While ad-blocking is still frowned upon by many, this latest incident could provide people with added justification for using ad-blocking software on their computers.

VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn More