CVE CyberSecurity Database News

CVE-2022-28283 - How a Missing Security Check in Firefox’s sourceMapURL Could Leak Your Files

Poster -

In April 2022, Mozilla patched a critical security issue in Firefox (before version 99) known as CVE-2022-28283. If you’re a developer or just curious about browser security, this vulnerability is both fascinating and concerning. In this post, I’ll break it down in simple terms, explain how it worked, and illustrate its possible exploitation with code you can understand.

What is sourceMapURL?

First, a bit of background. When developers write JavaScript, they often use tools like webpack, Babel, or TypeScript. These tools transform or bundle code, making it harder to debug. That’s where *source maps* come in. They help browsers link the compressed JavaScript you see in production to the original code you wrote by using the sourceMappingURL comment:

//# sourceMappingURL=/path/to/original.js.map

Firefox DevTools (and other browsers) read this URL to display the original source for breakpoint debugging.

What Went Wrong?

Before Firefox 99, the browser failed to check where the sourceMapURL points to. That means a malicious webpage could tell Firefox DevTools to load a file from anywhere — even your local disk or other protected locations. For example, if a web page set:

//# sourceMappingURL=file:///etc/passwd

Or something sneaky like

//# sourceMappingURL=file:///C:/Windows/System32/drivers/etc/hosts

DevTools would try to load that exact file, even though the page should have no business accessing it.

Why Is This Dangerous?

Attackers can use this to *trick* a developer (or anyone with DevTools open) into loading and possibly leaking the contents of local files. While DevTools itself doesn't always display the whole file directly, parts of it might get loaded or cached, and browser extensions or scripts could snoop on them in certain situations.

malicious.js

console.log("Hello, world!");
//# sourceMappingURL=file:///C:/Windows/System32/drivers/etc/hosts

index.html

<!DOCTYPE html>
<html>
<head>
    <title>CVE-2022-28283 Demo</title>
    <script src="malicious.js"></script>
</head>
<body>
    <h1>If you open DevTools, something interesting happens!</h1>
</body>
</html>

Lure a victim (developer or tester) to open the page.

4. When the victim opens DevTools, Firefox (pre-99) will try to fetch whatever is in the sourceMappingURL, even if it points to file:/// or other sensitive schemes.

5. Optional: An attacker with extra browser extension privileges could programmatically access the file contents once loaded in DevTools.

Demo Scenario

Imagine a developer debugging your script using Firefox 98. They open DevTools and see a *source not found* error—along with a request in their browser to access a local file you specify.

Depending on the system and permissions, it could leak information or even set up a pathway for more dangerous attacks involving local files.

The Fix

Mozilla fixed the bug in Firefox 99 by adding proper checks. Now, if a page tries to point sourceMappingURL to an unauthorized location, Firefox DevTools will refuse to load it, saying something like “Loading source map from file:// URLs is not allowed.”

References

- CVE-2022-28283 on NVD
- Mozilla’s advisory for Firefox 99
- Bugzilla Report #1762072 ("DevTools should validate sourceMapURL before attempting to resolve it")
- OWASP: Source Maps Security Considerations

Summary

CVE-2022-28283 was a classic example of how a little oversight in DevTools can open the door to big issues. By not checking the location of sourceMapURL, Firefox left itself open for local file probing attacks. The fix was simple: only allow DevTools to resolve maps from proper, safe locations.

Stay updated—and keep an eye on even the smallest details!

Timeline

Published on: 12/22/2022 20:15:00 UTC
Last modified on: 12/30/2022 20:54:00 UTC