CVE-2023-29538
Description
Under specific circumstances a WebExtension may have received a jar:file:/// URI instead of a moz-extension:/// URI during a load request. This leaked directory paths on the user's machine. This vulnerability affects Firefox for Android < 112, Firefox < 112, and Focus for Android < 112.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Under specific conditions, a Firefox extension could receive a jar:file:/// URI instead of moz-extension:/// during a load request, leaking local directory paths.
Vulnerability
When a WebExtension makes a load request, under specific circumstances the browser may translate the expected moz-extension:/// URI to a jar:file:/// URI, exposing the full local file system path to the extension's packaged resources. This affects Firefox for Android < 112, Firefox < 112, and Focus for Android < 112 [2]. The bug is triggered when an extension (such as HTTPS Everywhere) attempts to load an interstitial page for insecure sites, and the URI translation leaks paths like jar:file:///data/user/0/org.mozilla.fenix/files/mozilla/... [1].
Exploitation
An attacker needs to have a WebExtension installed that can trigger a load request under the specific conditions (e.g., toggling HTTPS Everywhere's EASE mode and navigating to an insecure site). No special network position or additional privileges are required; the issue is triggered by normal browsing behavior when the extension's assets are loaded [1]. The user must have the vulnerable version of Firefox or Firefox for Android installed and the affected extension active.
Impact
The leaked jar:file:/// URI reveals the full local directory path on the user's machine, including the user profile directory structure. This information disclosure could aid in further targeted attacks by exposing the file system layout, but does not directly grant code execution or data modification [1][2]. The severity is rated high by Mozilla [2].
Mitigation
Mozilla addressed this vulnerability in Firefox 112, Firefox for Android 112, and Focus for Android 112, released on April 11, 2023 [2]. Users should update to these versions or later. No workaround is available; the fix ensures that extensions continue to receive moz-extension:/// URIs as expected. This CVE is not listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
8<112+ 1 more
- (no CPE)range: <112
- (no CPE)range: unspecified
<112+ 1 more
- (no CPE)range: <112
- (no CPE)range: unspecified
<112+ 1 more
- (no CPE)range: <112
- (no CPE)range: unspecified
- osv-coords2 versionspkg:rpm/opensuse/firefox-esr&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/MozillaFirefox&distro=openSUSE%20Tumbleweed
< 128.5.1-1.1+ 1 more
- (no CPE)range: < 128.5.1-1.1
- (no CPE)range: < 112.0.1-1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The browser translates a WebExtension's internal `moz-extension:///` URI into a `jar:file:///` URI during load requests, leaking the local file-system path of the extension's XPI archive."
Attack vector
An attacker who can cause a WebExtension to load an internal page (for example, by navigating to an insecure site that triggers the extension's interstitial) may receive a `jar:file:///` URI instead of the sandboxed `moz-extension:///` URI [ref_id=1]. This leaks the full directory path of the extension's installation directory on the user's device, such as `/data/user/0/org.mozilla.fenix/files/mozilla/.../extensions/` [ref_id=1]. The vulnerability is triggered without any special privileges beyond the ability to induce the extension to load its own assets.
Affected code
The bug occurs in the WebExtensions load-request handling on Android. When a WebExtension (such as HTTPS Everywhere) triggers an internal navigation to its own assets, the browser incorrectly translates the expected `moz-extension:///` URI into a `jar:file:///` URI that exposes the local file-system path of the extension's XPI archive [ref_id=1].
What the fix does
The advisory does not include a patch diff, but the bug was fixed in Firefox for Android 112, Firefox 112, and Focus for Android 112 [ref_id=1]. The fix ensures that WebExtension load requests return the proper `moz-extension:///` URI rather than translating it to a `jar:file:///` URI, thereby preventing the leakage of local file-system paths [ref_id=1].
Preconditions
- configThe user must have a WebExtension installed that loads internal pages (e.g., an interstitial or options page)
- inputThe attacker must be able to trigger the extension to load its own assets (e.g., by navigating to an insecure site that activates the extension's EASE mode)
Reproduction
Install HTTPS Everywhere for Firefox Android. Go to the Add-Ons Menu for HTTPS Everywhere and toggle "ON" for Encrypt All Sites Eligible. Navigate to an insecure page with no HTTPS support, such as http.badssl.com. Observe that the URL shown is `jar:file:///data/user/0/org.mozilla.fenix/files/mozilla/.../extensions/https-everywhere@eff.org.xpi!/pages/cancel/index.html?...` instead of a `moz-extension:///` URI [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.