Mozilla Foundation Security Advisory 2008-63
User tracking via XUL persist attribute
- Announced
- December 16, 2008
- Reporter
- Hish
- Impact
- Low
- Products
- Firefox
- Fixed in
-
- Firefox 3.0.5
Description
Security researcher Hish reported that
the persist
attribute in XUL elements can be used to
store cookie-like information on a user's computer which could later
be read by a website. This creates a privacy issue for users who have
a non-standard cookie preference and wish to prevent sites from
setting cookies on their machine. Even with cookies turned off, this
issue could be used by a website to write persistent data in a user's
browser and track the user across browsing sessions. Additionally,
this issue could allow a website to bypass the limits normally placed
on cookie size and number.