Join the AMA (Ask Me Anything) with the Firefox leadership team to celebrate Firefox 20th anniversary and discuss Firefox’s future on Mozilla Connect. Mark your calendar on Thursday, November 14, 18:00 - 20:00 UTC!

This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

suspicious download firefox-patch.js

  • 4 replies
  • 4 have this problem
  • 7 views
  • Last reply by James

more options

I am recently getting this annoying popup that automatically tries to download and save a file titles: firefox-patch.js from source said to be: https://kahdacitylinkexpress.org

It happens when I am browsing and it also opens up website page: https://kahdacitylinkexpress.org/2571196760355/7b393ecf118dc15d4f6e925feea6ab53/13f5cda28c1df11a7536ab141ede954f.html

the page it open boasts firefox logo, however has no indication in the URL that is at all affiliated with Firefox or Mozilla. This or similar URL page has busted through pop-up blocker at least twice in the past couple of days, and it shows no information about what I would be downloading; and anything that tries to open pages and force save files on my computer makes me angry and suspicious. Can you please confirm if this is authentic, why it is happening and what precautions I can do to prevent unauthorized popups and any site trying to auto-save to my HD. I use Norton Small business security but to avoid any possible infection of malware or other security issues; I have persistently denied this file and not clicked or used the URL or its contents when it has popped up.

Kind Regards, Rmzey Z Allen


edited emails from public and spam/search bots as nobody here does support by email.

I am recently getting this annoying popup that automatically tries to download and save a file titles: firefox-patch.js from source said to be: https://kahdacitylinkexpress.org It happens when I am browsing and it also opens up website page: https://kahdacitylinkexpress.org/2571196760355/7b393ecf118dc15d4f6e925feea6ab53/13f5cda28c1df11a7536ab141ede954f.html the page it open boasts firefox logo, however has no indication in the URL that is at all affiliated with Firefox or Mozilla. This or similar URL page has busted through pop-up blocker at least twice in the past couple of days, and it shows no information about what I would be downloading; and anything that tries to open pages and force save files on my computer makes me angry and suspicious. Can you please confirm if this is authentic, why it is happening and what precautions I can do to prevent unauthorized popups and any site trying to auto-save to my HD. I use Norton Small business security but to avoid any possible infection of malware or other security issues; I have persistently denied this file and not clicked or used the URL or its contents when it has popped up. Kind Regards, Rmzey Z Allen edited emails from public and spam/search bots as nobody here does support by email.

Modified by James

Chosen solution

This is not from Mozilla or the Firefox web browser. The fake firefox-patch.exe and firefox-patch.js files can install things like trojans, viruses, unwanted software or to download additional stuff onto Windows based on past reports if the user runs them. The random name of the websites alone should raise a flag that it was not legit.

The Firefox updates are done internally in Firefox (with a .mar type of file) whether on Windows, Mac OSX or Linux (since Firefox 1.5 almost eleven years ago) or by download from mozilla.org like say www.mozilla.org/firefox/all/

You could try using a adblocker extension like uBlock Origin to block theses fake ads if you keep getting them. https://addons.mozilla.org/firefox/addon/ublock-origin/

Unfortunately this has gone on for a while now with one or two new sites reported almost everyday. https://support.mozilla.org/en-US/forums/contributors/712056/

Even if you were to download this firefox-patch.js file it is not a risk unless you were to try and run it.

Read this answer in context 👍 0

All Replies (4)

more options

Chosen Solution

This is not from Mozilla or the Firefox web browser. The fake firefox-patch.exe and firefox-patch.js files can install things like trojans, viruses, unwanted software or to download additional stuff onto Windows based on past reports if the user runs them. The random name of the websites alone should raise a flag that it was not legit.

The Firefox updates are done internally in Firefox (with a .mar type of file) whether on Windows, Mac OSX or Linux (since Firefox 1.5 almost eleven years ago) or by download from mozilla.org like say www.mozilla.org/firefox/all/

You could try using a adblocker extension like uBlock Origin to block theses fake ads if you keep getting them. https://addons.mozilla.org/firefox/addon/ublock-origin/

Unfortunately this has gone on for a while now with one or two new sites reported almost everyday. https://support.mozilla.org/en-US/forums/contributors/712056/

Even if you were to download this firefox-patch.js file it is not a risk unless you were to try and run it.

more options

FOLLOW UP -- WE HAVE SENT A REPORT TO EBAY, SYMANTEC/NORTON

I am noticing every time I visit Ebay site, when using Firefox (at Ebay), I continue to randomly be prompted to download a file titled "firefox-patch.js" despite NEVER asking or clicking on anything to prompt this, simply loading Ebay at an random given time, and also a fake Firefox page (which looks very authentic) is automatically opening a new tab in my browser, circumventing my popup blocker and security software. I have confirmed with Mozilla/Firefox and reported the issue to Norton Small Business, as this continues to be a problem In reaching out to Mozilla support, I am informed that this and others are surely fake, and pose a threat to security - such as Trojans, worms and other malware which seems only to happen when at Ebay. I have confirmed, these threats (which have been confirmed as fake and security risks) with Mozilla and have had Symantec perform several scans and investigate that this has not actually successfully infiltrated my systems, however every time I visit ebay, these or similar attacks are occurring; and per Mozilla support they are receiving several reports every day regarding these attempted attacks.

The last two potential threats that nearly have circumvented my security (fortunately, I have been cautious after noticing that they were suspicious due to the URLS) are from the following:

Threat Source URL or Spoofed URL: https://kahdacitylinkexpress.org Incident URL: https://kahdacitylinkexpress.org/2571196760355/7b393ecf118dc15d4f6e925feea6ab53/13f5cda28c1df11a7536ab141ede954.htm

Threat Source URL or Spoofed URL: https://ohgeifrommymama.org Incident URL: https://ohgeifrommymama.org/4511196760355/128000dfb0f3957954e96e6a8152c861/a7cf6027104131b46f4795a97a9c3532.html

EBAY MUST ADDRESS THIS MATTER AS IT IS CAUSING ALARM AND OUR COMPANY NOW QUESTIONS WHETHER OR NOT EBAY IS A SAFE MARKETPLACE AS THUS FAR, THIS IS ONLY OCCURRING WHILE AT EBAY!

Please, we respectfully request that your security department attempt to stop these attacks, as it has been happening fairly regularly, despite the attacks appearing to being somewhat random. The only certainty is: IT IS ONLY OCCURRING WHILE ON EBAY!

We kindly ask that this matter be investigated, and please note, we have reported this to Mozilla and to Symantec to help warn customers of a potentially serious risk.

Kind Regards, Rmzey Z Allen, Owner RZC, RZ-Xchange

more options

This is not the usual somebody making some sites and they then eventually get taken down by Mozilla or blocked in Google safe browsing.

These sites are registered the day before, used for a day for these malicious fake update ads and then not seen again. Have a more recent list at https://support.mozilla.org/en-US/forums/contributors/712056

It has been sophisticated enough that it only seems to target Firefox users on Windows and not on Mac OSX or Linux. Makes sense when they were initially serving a firefox-patch.exe but it kept getting blocked or flagged and they switched to firefox-patch.js since.

Also made harder by fact that only the person who got the url could view it. Anybody researching this have to try and get this fake urgent Firefox update ad themselves.

The person or group behind this elaborate scam is even targeting Google Chrome users on Windows with a similar fake update page for same period. They are using many of the same disposable domains used for the fake urgent Firefox updates. One of many thread examples is https://productforums.google.com/forum/#!topic/chrome/HcXgFFaO9WU

I have been hoping that since it has been impacting Chrome users also that maybe Google with their vast resources could get this whole malicious Ads thing dealt with and therefore help Firefox users also.

Modified by James

more options

from duplicate thread /questions/1143295 rmzeyzein said

WARNING THE FOLLOWING URL AND ASSOCIATED DOWNLOADS MAY CONTAIN MALWARE AND POSES A THREAT. IF YOU LOAD THIS PAGE, WE STRONGLY URGE THAT YOU BE AWARE, IT MAY ATTEMPT TO DOWNLOAD A FILE - DO NOT ACCEPT THIS FILE, BY HITTING CANCEL, IF IT APPEARS AND AS WELL, IT MAY CIRCUMVENT YOUR POPUP BLOCKER. Corrected URL - (html not htm site) https://kahdacitylinkexpress.org/2571196760355/7b393ecf118dc15d4f6e925feea6ab53/13f5cda28c1df11a7536ab141ede954.html

The mods here do not bother to break these links in any way since only the person who gets this could view it. Also is only a concern if you save the firefox-patch.js file and run it if you are on WIndows. You can rename it as a text file to view it.