Mozilla Foundation Security Advisory 2008-63

User tracking via XUL persist attribute

Announced

December 16, 2008

Reporter

Hish

Impact

Low

Products

Firefox

Fixed in

Firefox 3.0.5

Description

Security researcher Hish reported that the persist attribute in XUL elements can be used to store cookie-like information on a user's computer which could later be read by a website. This creates a privacy issue for users who have a non-standard cookie preference and wish to prevent sites from setting cookies on their machine. Even with cookies turned off, this issue could be used by a website to write persistent data in a user's browser and track the user across browsing sessions. Additionally, this issue could allow a website to bypass the limits normally placed on cookie size and number.

References

https://bugzilla.mozilla.org/show_bug.cgi?id=295994
CVE-2008-5505

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Firefox Relay

MDN Plus

Fakespot

Mozilla Manifesto

Mozilla Foundation

Leadership

Get involved

Careers

Mozilla Blog

Firefox Developer Edition

MDN Web Docs

Mozilla Innovation Projects

Common Voice

Mozilla Foundation Security Advisory 2008-63

User tracking via XUL persist attribute

Description

References