ASA-2019-00444 – Mozilla Firefox: Cookie leakage during add-on fetching across private browsing boundaries


Allele Security Alert

ASA-2019-00444

Identifier(s)

ASA-2019-00444, CVE-2019-11723, MFSA2019-21

Title

Cookie leakage during add-on fetching across private browsing boundaries

Vendor(s)

Mozilla

Product(s)

Mozilla Firefox

Affected version(s)

Mozilla Firefox version before 68

Fixed version(s)

Mozilla Firefox version 68

Proof of concept

Unknown

Description

A vulnerability exists during the installation of add-ons where the initial fetch ignored the origin attributes of the browsing context. This could leak cookies in private browsing mode or across different “containers” for people who use the Firefox Multi-Account Containers Web Extension.

Technical details

Unknown

Credits

Andreas Wagner

Reference(s)

Mozilla Foundation Security Advisory 2019-21
https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11723

Bug 1528335
https://bugzilla.mozilla.org/show_bug.cgi?id=1528335

CVE-2019-11723
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11723

CVE-2019-11723
https://nvd.nist.gov/vuln/detail/CVE-2019-11723

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: July 18, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.