Navigator.userAgent doesn't show a patch version of macOS. For example: "(Macintosh; Intel Mac OS X 10.13)". Mac os version: 10.13.6
Categories
(Core :: Networking: HTTP, defect)
Tracking
()
People
(Reporter: luka_jovanovic, Unassigned)
References
Details
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Steps to reproduce:
Use navigator.userAgent string, on mac os version 10.13.6.
Actual results:
navigator.userAgent returns "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:64.0) Gecko/20100101 Firefox/64.0"
Expected results:
navigator.userAgent should return "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13.6 ; rv:64.0) Gecko/20100101 Firefox/64.0"
Reporter | ||
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Comment 1•6 years ago
|
||
Valentin, is this an easy fix? maybe good-first-bug?
Comment 2•6 years ago
|
||
(In reply to Dragana Damjanovic [:dragana] from comment #1)
Valentin, is this an easy fix? maybe good-first-bug?
According to https://developer.mozilla.org/en-US/docs/Web/API/NavigatorID/userAgent :
The specification asks browsers to provide as little information via this field as possible.
Never assume that the value of this property will stay the same in future versions of the same browser.
Try not to use it at all, or only for current and past versions of a browser.
It's very easy to implement, technically, but it increases the fingerprinting possibilities, so I would advise against it.
Moreover, it could very well be used by bad servers to target OSX versions with known vulnerabilities. I suggest we WONTFIX it.
Comment 3•6 years ago
|
||
yes you are right.
Reporter | ||
Comment 4•6 years ago
|
||
Hi,
Thank you for your feedback. One question, why is there a os version if we can't detect the right one? I assume there is vulnerabilitie with just major i minor numbers.
Comment 5•6 years ago
|
||
(In reply to Luka Jovanovic from comment #4)
Hi,
Thank you for your feedback. One question, why is there a os version if we can't detect the right one? I assume there is vulnerabilitie with just major i minor numbers.
The same thing can be used to target users with the vulnerability.
Description
•