Earlier this week, Mozilla was notified by security researcher Cody Crews that a malicious advertisement on a Russian news site was exploiting a vulnerability in Firefox's PDF Viewer to search for sensitive files on users' local file systems.
The exploit has been fixed in Firefox 39.0.3 and ported to its extended support release, Firefox ESR 38.1.1.
Versions of the browser that do not include the PDF Viewer, such as Firefox for Android, are not vulnerable.
According to Veditz, the payload searches for subversion, s3browser, Filezilla, and libpurple configuration files on Windows systems; whereas on Linux, the payload looks through global configuration files in /etc/ as well as .bash_history, .mysql_history, .pgsql_history, .ssh files, any text files with "pass" and "access" in the names, and any shell scripts.
Any files encountered by the payload are uploaded to a server reportedly in Ukraine.
Mac users are not impacted by this exploit, but Veditz warned that another payload could potentially use the same vulnerability.
"The exploit leaves no trace it has been run on the local machine," said Veditz. "If you use Firefox on Windows or Linux it would be prudent to change any passwords and keys found in the above-mentioned files if you use the associated programs."
Last month, a pair of use-after-free vulnerabilities and 11 other vulnerabilities of varying importance forced Mozilla to release an update to Firefox 39.
Although separately, Mozilla said these bugs could not be exploited easily, a user would be vulnerable if a mechanism was found to trigger them.