window.open allows opening content from private browsing mode in normal mode window

RESOLVED DUPLICATE of bug 1100154

Status

()

Firefox
Private Browsing
RESOLVED DUPLICATE of bug 1100154
2 years ago
2 years ago

People

(Reporter: jarmo.lahtiranta, Unassigned)

Tracking

({sec-low})

40 Branch
sec-low
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

2 years ago
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36 OPR/32.0.1948.19 (Edition beta)

Steps to reproduce:

1. Open the same website in two windows: private browsing mode normal mode
2. Click a link with window.open so that you get a popup window. 
3. Click the same link in another window.


Actual results:

The page from the second link opens in the same window as the first link. If the first link was in private browsing mode, the second link is opened in the same mode. If the first link was in normal mode, the link is opened in normal browsing mode too. 

This allows the attacker to break out of the private browsing mode, because he can send arbitrary data as GET parameters and identify the user that way.

POC will be available for a while at http://ka.tunk.org/breakout.php 


Expected results:

A new popup window should be opened after the second click, and it should be in the same mode as the window where it was clicked.
(Reporter)

Updated

2 years ago

Comment 1

2 years ago
I can reproduce on 42 beta but not on 44 (nightly). I expect this is a duplicate of bug 1100154 which was fixed in Firefox 43. Josh, can you confirm?
Flags: needinfo?(josh)
Keywords: sec-low
Component: Untriaged → Private Browsing

Comment 2

2 years ago
Ehsan, can you answer comment #1 ?

(In reply to :Gijs Kruitbosch from comment #1)
> I can reproduce on 42 beta but not on 44 (nightly). I expect this is a
> duplicate of bug 1100154 which was fixed in Firefox 43. Josh, can you
> confirm?
Flags: needinfo?(ehsan)
Yeah this is the same.

Also this shouldn't be a security sensitive bug, but I don't have access to open it up.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Flags: needinfo?(josh)
Flags: needinfo?(ehsan)
Resolution: --- → DUPLICATE
Duplicate of bug: 1100154

Updated

2 years ago
Group: firefox-core-security
You need to log in before you can comment on or make changes to this bug.