Closed Bug 145635 Opened 22 years ago Closed 22 years ago

Deny access for scripts to "filename" property for JavaScript Plugin object.

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Platform:
All
Windows 2000
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 88183

People

(Reporter: sinchi, Assigned: security-bugs)

References

(
URL
)

Details

Attachments

(1 file)

Demonstration
486 bytes, text/html
Details 
Using navigator.plugins in JavaScript, everyone can know where Mozilla is
installed on my local disk.

I think, "filename" property of Plugin object, unlike MIME types and
descriptions, isn't usable for JavaScript in HTML pages on the Web, it's only an
additional risk of security troubles.

And more, if any plugin is installed in user profile directory, this issue is a
way to know path of my profile... Very dangerous opportunity!

I wrote to security@mozilla.org about this issue, but has no answer.
Attached file Demonstration 

    
    

    
  
Marking security-sensitive. Reporter, what version of Mozilla are you running?
Group: security?

    
    

    
  

*** This bug has been marked as a duplicate of 88183 ***
Status: UNCONFIRMED → RESOLVED
Closed: 22 years ago
Resolution: --- → DUPLICATE
Group: security?

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: