[tor-bugs] #9308 [Firefox Patch Issues]: JavaScript's BrowserFeedWriter() leaks installation paths on OS X and Windows
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Apr 7 21:36:35 UTC 2014
#9308: JavaScript's BrowserFeedWriter() leaks installation paths on OS X and
Windows
-------------------------------------+-------------------------------------
Reporter: cypherpunks | Owner: mikeperry
Type: defect | Status: needs_review
Priority: critical | Milestone:
Component: Firefox Patch | Version:
Issues | Keywords: tbb-fingerprinting,
Resolution: | tbb-easy, interview,
Actual Points: | GeorgKoppen201404R
Points: | Parent ID:
-------------------------------------+-------------------------------------
Comment (by arthuredelstein):
I've added a new patch that fixes the original vulnerability reported in
this ticket (BrowserFeedWriter). Because the patch,
https://hg.mozilla.org/mozilla-central/rev/e9ea1662020a, requires a
number of previous patches, a full backport would be rather complex. But
we can get a workable fix simply by imitating the patch's removal of a
single line. Deleting this line excises the BrowserFeedWriter constructor
from the global JavaScript "window" API. Without the BrowserFeedWriter
constructor, the privacy-leaking JS exception is no longer triggerable.
I have opened a separate ticket, #11433, reporting the sidebar bug.
Unfortunately the sidebar bug requires a more complex backport. I have a
second, unrelated bug I need to work on, so I'll postpone fixing the
sidebar issue until after that.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9308#comment:23>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list