Firefox users have been urged to update to browser version 39.0.3, following the discovery of a vulnerability which allows an attacker to read and steal sensitive local files on the victim’s computer via the browser’s PDF reader.
Discovered by security researcher Cody Crews, the Firefox exploit allows an attacker to violate the same origin policy and inject script into a non-privileged part of Firefox’s built-in PDF Viewer.
Mozilla reports that on the morning of 5 August, a user passed the organisation information showing how to exploit the vulnerability.
An advertisement on an unnamed news site in Russia was serving the exploit, according to Mozilla, and then uploading sensitive pilfered files to a server, apparently located in Ukraine.
Mozilla has now released a security update addressing the vulnerability.
Additionally, Mozilla notes the fix has been shipped in Firefox ESR 38.1.
All Firefox users are urged to update to Firefox 39.0.3