Pre-req.: Have a non-private browser window open.
- Open a private window
- Generate a password on a website (e.g. using the context menu)
Don't edit it or interact with the doorhanger
- Close the private window (leaving Firefox still open e.g. due to an existing non-private window)
- Open a new private browsing window
- Visit the same website as step 2 and generate a password again
The generated password is different than in step 2 since I'm in a separate private browsing session.
The same generated password will be used since it was cached in
LoginManagerParent and it didn't listen for the
last-pb-context-exited observer notification. A user may accidentally use the same password on two accounts in two private browsing session unintentionally.
Related problem: Generated passwords remain in memory when the last private window is closed, even if they weren't auto-saved.
- Save a password with no username for a site.
- Follow steps 1–3 above for the same site
Since a login with no password was already saved, the user wasn't told the password would be auto-saved (and it shouldn't be) and therefore the user thinks there are no traces of this site on their computer if they choose not to save the generated password manually.
The generated password is persisted in memory along side the origin in memory until the browser is shut down. The password and/or origin could be extracted from memory or via privileged code in browser developer tools.