It sounds like you are getting a random named website claiming to have a urgent Firefox update. This is not from Mozilla or the Firefox web browser. The fake firefox-patch.exe and firefox-patch.js files can install things like trojans, viruses, or unwanted software on Windows based on past reports if the user runs them.

The updates are done internally in Firefox (with a .mar type of file) whether on Windows, Mac OSX or Linux or by download from mozilla.org like say www.mozilla.org/firefox/all/

You could try using a adblocker extension like uBlock Origin to block theses fake ads if you keep getting them. https://addons.mozilla.org/firefox/addon/ublock-origin/

Unfortunately this has gone on for over a month now with one or two new sites reported almost everyday. https://support.mozilla.org/en-US/forums/contributors/712056/ and https://support.mozilla.org/en-US/forums/contributors/712075

CC3000 said

I see this question posted previously but never answered.

I would say almost all to all threads posting about this fake firefox-patch.js in the past month has replies like saying it is malware and to not download or run it.

CC3000 said

I see this question posted previously but never answered. Firefox says it is up-to-date. I suspect...malware?...something bad on Windows 7, Firefox 47

As forum moderator "James" already has commented (dozens of times), this bogus message has been in circulation for several weeks. The website source of the message varies widely, but identifying the source website is not that important, since the website name is randomly-generated and/or the malware is being passed around to many malware hackers.

Your first clue the message is bogus is that Mozilla does not update Firefox in this fashion. Your legitimate updates arrive by a different method.

In contrast, the bogus update message usually arrives with a flaming orange full screen, with Firefox logo in its center, as in the attachment below.

Lately, however, I have seen the message arrive with only what appears to be a system-generated popup message titled, "Opening firefox-patch.js" (also attached below). That bogus system message popup is actually more deceptive, because it has no signature flaming orange background and Firefox logo.

With either variety of bogus message, under no circumstances click on the buttons "Save File" or "Cancel", and do not even click on the small "X" in the upper right of the popup box.

Although the message is temporarily resident in system memory, it is still no threat unless you click on any of the message buttons. Conceivably, that would allow malware to write itself to your hard drive.

The safest escape from the situation is to clear system memory completely by shutting down the Windows session and simply restarting. That should work every time.

The malware code behind the bogus messages is not part of the "infected" website, itself, but enters through affiliated, third-party advertisements posted around website content. Since advertisers pay the bills and keep content free to visitors, many websites are reluctant to make an issue with advertisers to police their advertisements more carefully.

In my case, the originating website (a weather website) is known to be legitimate, and for what it is worth, I plan to notify that website's administrators of the problem.