Open Bug 1768639 Opened 2 years ago Updated 1 year ago

Bookmarks sidebar folder opening state is shared/stored from private windows (persisted after Firefox restart)

Categories

(Firefox :: Bookmarks & History, defect, P5)

Product:
Firefox
Component:
Bookmarks & History
Version:
Firefox 99
Type:
defect

Tracking

()

People

(Reporter: lilian.gix, Unassigned)

Details

(Keywords: privacy)

Steps to reproduce:

Open Firefox private window
Open Bookmark tab (CTRL+Shift+B)
Expand some folders in Bookmark
Completely close Firefox

Actual results:

on Firefox restart in Non-Private mode, Bookmark tab still show all expanded folders opened in Private mode

Expected results:

Navigation through bookmark should be forget after leaving Private mode

Not a remotely exploitable security issue in Firefox, so unhiding so other folks can help triage.

(In reply to lilian.gix from comment #0)

Steps to reproduce:

Open Firefox private window
Open Bookmark tab (CTRL+Shift+B)

What do you mean? Firefox doesn't have a "bookmark tab", and this shortcut toggles the bookmarks toolbar, which doesn't preserve state.

Group: firefox-core-security
Component: Untriaged → Bookmarks & History
Flags: needinfo?(lilian.gix)

(In reply to :Gijs (he/him) from comment #1)

What do you mean? Firefox doesn't have a "bookmark tab", and this shortcut toggles the bookmarks toolbar, which doesn't preserve state.
Indeed the toolbar on the top doesn't preserve state.
I'm not sure about the name, the thing you get on the left with CTRL+Shift+B

Flags: needinfo?(lilian.gix)

(In reply to lilian.gix from comment #2)

(In reply to :Gijs (he/him) from comment #1)

What do you mean? Firefox doesn't have a "bookmark tab", and this shortcut toggles the bookmarks toolbar, which doesn't preserve state.

Indeed the toolbar on the top doesn't preserve state.
I'm not sure about the name, the thing you get on the left with CTRL+Shift+B

Nothing appears on the left when I press that shortcut, it only toggles the toolbar (at the top). What version of Firefox are you using?

(I'm guessing this is referring to the bookmarks sidebar and you're using an old version of Firefox... but I'm not sure.)

Flags: needinfo?(lilian.gix)

He means the sidebar that you can toggle with CTRL+B.
I can confirm that if you open folders in private browsing, they are also opened in classic browsing.

Summary: Expanded Bookmark folders in Private mode stay open after Firefox restart → Bookmarks sidebar folder opening state is shared/stored from private windows (persisted after Firefox restart)
Flags: needinfo?(lilian.gix)

Ok, I don't think this is super critical, it affects data that already exists. Surely it can disclose that a visit to an already existing (either in history or bookmarks) page may have happened, but that's it. This is also the first time I see this reported, thus it doesn't seem to be a very common concern.

I was thinking how we could address this. The code is here:
https://searchfox.org/mozilla-central/rev/b72e9d7d63bf499d1d8168291b93d4ec7fde236e/browser/components/places/content/treeView.js#378,1675,1681

what we could do is to always read from xulstore, but in PB windows write to a memory cache instead of xulstore... then when reading the info in a pb window first read xulstore, then read from the memory cache. This should allow to port the state from non-pb to the pb window, and while inside the pb window still have a volatile state that only persist in that window.
It should be tested though.

Severity: -- → S4
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: privacy
Priority: -- → P5
You need to log in before you can comment on or make changes to this bug.