CVE-2022-28283 in Firefox
Summary
by MITRE • 12/22/2022
The sourceMapURL feature in devtools was missing security checks that would have allowed a webpage to attempt to include local files or other files that should have been inaccessible. This vulnerability affects Firefox < 99.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 06/28/2026
The vulnerability in Firefox's devtools sourceMapURL feature represents a critical security flaw that undermines the browser's sandboxing mechanisms and file access controls. This issue stems from insufficient validation of URLs passed to the sourceMapURL functionality, which is designed to help developers debug JavaScript code by mapping minified code back to its original source. The missing security checks create a pathway for malicious webpages to attempt unauthorized access to local files or resources that should remain protected from web content. This vulnerability specifically impacts Firefox versions prior to 99, where the implementation failed to properly sanitize and validate file paths or URLs passed through the sourceMapURL parameter.
The technical exploitation of this vulnerability occurs when a webpage leverages the devtools functionality to load external source maps, which can contain references to local file systems or other sensitive resources. Without proper security validation, these references can be manipulated to access files that should remain isolated from web content, potentially exposing user data, system files, or internal network resources. The flaw operates at the intersection of browser debugging tools and file system access controls, creating an attack vector where malicious actors could craft source map URLs designed to traverse local file paths or access restricted resources through the browser's devtools interface.
From an operational impact perspective, this vulnerability poses significant risks to user privacy and system security as it allows for potential information disclosure and unauthorized file access. Attackers could potentially exploit this flaw to read sensitive files from a user's local system, including configuration files, personal documents, or other data that should remain protected from web-based threats. The vulnerability particularly affects environments where users browse untrusted websites or where developers regularly use devtools functionality, as it requires no special privileges beyond standard web browsing access. This makes it especially dangerous in enterprise environments where users may inadvertently visit malicious sites or where phishing attacks could leverage this vulnerability to extract sensitive information.
Security mitigations for this vulnerability primarily involve updating to Firefox version 99 or later, which includes proper validation and sanitization of sourceMapURL parameters. Organizations should also implement network-level protections such as content filtering and web application firewalls to reduce exposure to malicious websites that might attempt to exploit this vulnerability. Additionally, browser hardening practices including disabling developer tools for non-technical users, implementing strict CSP policies, and maintaining current software versions across all systems can help prevent exploitation of this and similar vulnerabilities. This issue aligns with CWE-22, which addresses improper limitation of a pathname to a restricted directory, and relates to ATT&CK technique T1059.007 for execution through JavaScript and browser-based attacks. The vulnerability demonstrates the importance of proper input validation in browser debugging tools and highlights how seemingly benign features can become attack vectors when security checks are omitted from implementation.