Bug#560108: xulrunner: remote info disclosure via css
Mike Hommey
mh at glandium.org
Mon Dec 14 10:10:24 UTC 2009
severity 560108 important
thanks
On Tue, Dec 08, 2009 at 06:12:20PM -0500, Michael Gilbert wrote:
> package: xulrunner
> version: 1.9.0.13-0
> severity: serious
> tags: security
>
> hi,
>
> it has been disclosed that it is possible for any website to query the
> user's site viewing history via css. please see [0]. i have not
> personally checked whether this package is vulnerable, but it seems to
> be a general css design issue, so all css-supporting browsers are
> likely affected. please check, and feel free to close the bug if the
> package is not affected. thanks.
>
> mike
>
> [0] http://thecoffeedesk.com/news/index.php/2009/08/02/view-remote-browser-history/
>
>
>
This has been at least three years the issue has been known. If nobody
fixed it, it means they don't consider it a serious problem, and as you
say, this is by design.
Mike
More information about the pkg-mozilla-maintainers
mailing list