CLD-175 Details
Other IDs this deficiency may be known by:
Basic Information:
Affected Package(s) |
firefox |
Deficiency Type |
SECURITY |
Date Created |
2017-12-08 09:25:31 |
Date Last Modified |
2017-12-08 10:34:14 |
Version Specific Information:
Cucumber 1.0 i686 | fixed in firefox-52.5.2esr-i686-1 |
Cucumber 1.0 x86_64 | fixed in firefox-52.5.2esr-x86_64-1 |
Cucumber 1.1 i686 |
fixed in firefox-52.5.2esr-i686-1 |
Cucumber 1.1 x86_64 |
fixed in firefox-52.5.2esr-x86_64-1 |
Details:
================================ Initial Report ================================
From Mozilla Fondation Security Advisory
(https://www.mozilla.org/en-US/security/advisories/mfsa2017-28/):
When Private Browsing mode is used, it is possible for a web worker to write
persistent data to IndexedDB and fingerprint a user uniquely. IndexedDB should
not be available in Private Browsing mode and this stored data will persist
across multiple private browsing mode sessions because it is not cleared when
exiting.
================================= Our Analysis =================================
----- Affected Products -----
As far as we know, this vulnerability affects all versions of Firefox prior to
52.5.2 ESR or 57.0.1. This includes Firefox as originally packaged on Cucumber
Linux 1.0 and 1.1.
----- Scope and Impact of this Vulnerability -----
This vulnerability allows a website to write persistant data to your browser's
database while in private browsing mode. It is not supposed to be possible for
data to persist across multiple private browsing sessions.
----- Fix for this Vulnerability -----
Upgrade to Firefox 52.5.2 or 57.0.1.
================================= Our Solution =================================
We have upgraded to Firefox 52.5.2.