CLD-175 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2017-7843 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s) mfsa2017-28

Basic Information:

Affected Package(s) firefox
Deficiency Type SECURITY
Date Created 2017-12-08 09:25:31
Date Last Modified 2017-12-08 10:34:14

Version Specific Information:

Cucumber 1.0 i686fixed in firefox-52.5.2esr-i686-1
Cucumber 1.0 x86_64fixed in firefox-52.5.2esr-x86_64-1

Cucumber 1.1 i686 fixed in firefox-52.5.2esr-i686-1
Cucumber 1.1 x86_64 fixed in firefox-52.5.2esr-x86_64-1

Details:

================================ Initial Report ================================

From Mozilla Fondation Security Advisory
(https://www.mozilla.org/en-US/security/advisories/mfsa2017-28/):

When Private Browsing mode is used, it is possible for a web worker to write
persistent data to IndexedDB and fingerprint a user uniquely. IndexedDB should
not be available in Private Browsing mode and this stored data will persist
across multiple private browsing mode sessions because it is not cleared when
exiting.

================================= Our Analysis =================================

----- Affected Products -----
As far as we know, this vulnerability affects all versions of Firefox prior to
52.5.2 ESR or 57.0.1. This includes Firefox as originally packaged on Cucumber
Linux 1.0 and 1.1.

----- Scope and Impact of this Vulnerability -----
This vulnerability allows a website to write persistant data to your browser's
database while in private browsing mode. It is not supposed to be possible for
data to persist across multiple private browsing sessions.

----- Fix for this Vulnerability -----
Upgrade to Firefox 52.5.2 or 57.0.1.

================================= Our Solution =================================

We have upgraded to Firefox 52.5.2.