Mozilla Foundation Security Advisory 2010-33

User tracking across sites using Math.random()

Announced

June 22, 2010

Reporter

Amit Klein

Impact

Low

Products

Firefox, SeaMonkey

Fixed in

Firefox 3.5.10
Firefox 3.5.12
Firefox 3.6.4
Firefox 3.6.9
SeaMonkey 2.0.5

Description

Security researcher Amit Klein reported that it was possible to reverse engineer the value used to seed Math.random(). Since the pseudo-random number generator was only seeded once per browsing session, this seed value could be used as a unique token to identify and track users across different web sites.

Update (October 27, 2010): After the Firefox 3.6.4 and Firefox 3.5.10 releases, Amit Klein reported that there was an additional unfixed case where user tracking could occur using the above-mentioned technique and a pop-up window or iframe that was subsequently navigated by the user. This additional variant is identified as CVE-2010-3171.

References

https://bugzilla.mozilla.org/show_bug.cgi?id=475585
CVE-2008-5913

https://bugzilla.mozilla.org/show_bug.cgi?id=577512
CVE-2010-3171

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Firefox Relay

MDN Plus

Fakespot

Mozilla Manifesto

Mozilla Foundation

Leadership

Get involved

Careers

Mozilla Blog

Impact

Firefox Developer Edition

MDN Web Docs

Mozilla Innovation Projects

Common Voice

Mozilla Foundation Security Advisory 2010-33

User tracking across sites using Math.random()

Description

References