Mozilla Foundation Security Advisory 2016-84

Information disclosure through Resource Timing API during page navigation

Announced
August 2, 2016
Reporter
Catalin Dumitru
Impact
Moderate
Products
Firefox
Fixed in
  • Firefox 48

Description

Amazon software engineer Catalin Dumitru reported that the URLs of resources loaded after a navigation started (such as in an unload event handler) were leaked to the following page through the Resource Timing API. This leads to potential information disclosure.

References