Image Previewer: First Firefox Addon that Injects an In-Browser Miner?

Image Previewer: First Firefox Addon that Injects an In-Browser Miner?


A Firefox extension called Image Previewer was discovered today that not only displays popups, but also injects a Monero in-browser miner into Firefox. While we have seen numerous Chrome extensions injecting in-browser miners, this is the first time I have seen a Firefox addon with this behavior.
The Image Previewer addon is promoted by web sites that pretend to be a manual Firefox update, but in reality push a Firefox addon to the visitor. This is done through repeated Javascript alerts and user authentication prompts that push the user into installing the addon directly from the site. When this addon is installed it will inject an iframe to a Javascript file that monetizes sites that you visit using popups, link click hijacking, and ad injection. This is done by first connecting to, which will respond with a URL that will be injected into the page.
The addon will then open the page in an iframe. This page contains the setup script for the in-browser Monero miner. The variables used in the URL are important as well as they specify the user id associated with the miner and the throttle, which is the percentage of time that the miner threads should be idle.
This setup script will cause the main miner script located at to load within 15 minutes.
This xmr.main.min.js script is the brains behind the Monero miner and contains the base64 encoded WebAssembly program that will be executed to mine for Monero. While mining, the miner will use up to 50% of the CPU processing power on the computer. This will cause the CPU to run at high intensity for a longer period of time, which could decrease the lifespan of the hardware.

Submitted by: Arnfried Walbrecht