1215904 - window.open allows opening content from private browsing mode in normal mode window

Status: RESOLVED DUPLICATE of bug 1100154

(Firefox :: Private Browsing, defect)

Description

[jarmo.lahtiranta]

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36 OPR/32.0.1948.19 (Edition beta)

Steps to reproduce:

1. Open the same website in two windows: private browsing mode normal mode
2. Click a link with window.open so that you get a popup window. 
3. Click the same link in another window.


Actual results:

The page from the second link opens in the same window as the first link. If the first link was in private browsing mode, the second link is opened in the same mode. If the first link was in normal mode, the link is opened in normal browsing mode too. 

This allows the attacker to break out of the private browsing mode, because he can send arbitrary data as GET parameters and identify the user that way.

POC will be available for a while at http://ka.tunk.org/breakout.php 


Expected results:

A new popup window should be opened after the second click, and it should be in the same mode as the window where it was clicked.

Comment 1

[:Gijs (he/him)]

I can reproduce on 42 beta but not on 44 (nightly). I expect this is a duplicate of bug 1100154 which was fixed in Firefox 43. Josh, can you confirm?

Comment 2

[:Gijs (he/him)]

Ehsan, can you answer comment #1 ?

(In reply to :Gijs Kruitbosch from comment #1)
> I can reproduce on 42 beta but not on 44 (nightly). I expect this is a
> duplicate of bug 1100154 which was fixed in Firefox 43. Josh, can you
> confirm?

Comment 3

[(no longer active)]

Yeah this is the same.

Also this shouldn't be a security sensitive bug, but I don't have access to open it up.