Mozilla Foundation Security Advisory 2016-84

Information disclosure through Resource Timing API during page navigation

Announced

August 2, 2016

Reporter

Catalin Dumitru

Impact

Moderate

Products

Firefox

Fixed in

Firefox 48

Description

Amazon software engineer Catalin Dumitru reported that the URLs of resources loaded after a navigation started (such as in an unload event handler) were leaked to the following page through the Resource Timing API. This leads to potential information disclosure.

References

Resource Timing API is storing resources sent by the previous page (CVE-2016-5250)

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Firefox Relay

MDN Plus

Fakespot

Mozilla Manifesto

Mozilla Foundation

Leadership

Get involved

Careers

Mozilla Blog

Impact

Firefox Developer Edition

MDN Web Docs

Mozilla Innovation Projects

Common Voice

Mozilla Foundation Security Advisory 2016-84

Information disclosure through Resource Timing API during page navigation

Description

References