Closed Bug 1799339 Opened 2 years ago Closed 3 months ago

Fenix leaks real major version when a RFP user enables Desktop Mode

Categories

(Core :: DOM: Security, defect, P3)

Product:
Core
Component:
DOM: Security
Platform:
Unspecified
Android
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: aoia7rz7l, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog2])

Tested on Fenix Nightly 108.0a1.

STR:

  1. Flip privacy.resistFingerprinting to true in about:config and restart Fenix.
  2. Visit https://browserleaks.com/ip, https://browserleaks.com/javascript and/or https://canvasblocker.kkapsner.de/test/navigatorTest.php.
  3. Note the results and then enable Desktop Mode in each case.

Expected Behavior:

Fenix correctly masks its real major version in User-Agent HTTP Header and navigator.userAgent when RFP is on (currently 102.0), even after bug 1769022 (and maybe bug 1770498?).

Actual Behavior:

Fenix reports its real major version when a RFP user enables Desktop Mode. CanvasBlocker's navigator test also suggested that there are multiple values in navigator.userAgent when using Desktop Mode, although I can't verify what this means without resorting to USB debugging. I am also not sure how far back this goes in Fenix, but the same test works as expected when using Fennec (68.11.0) in Desktop Mode.

The Bugbug bot thinks this bug should belong to the 'Core::DOM: Security' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → DOM: Security
Product: Firefox → Core

The severity field is not set for this bug.
:freddy, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(fbraun)
Blocks: fingerprinting-breakage
Severity: -- → S3
Flags: needinfo?(fbraun)
Priority: -- → P3
Whiteboard: [domsecurity-backlog2]

Duplicate of Bug 1727775

RFP enabled

  • default non-desktop-site: header + navigator
    • Mozilla/5.0 (Android 10; Mobile; rv: 129.0) Gecko/129.0 Firefox/129.0
  • change to desktop-site: header + navigator
    • Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0
  • BOTH of these are the correct RFP values for mobile (android) and linux (desktop)

RFP disabled (sanitized everything on close, used quit menu item, did a force stop)

  • default non-desktop-site: header + navigator
    • Mozilla/5.0 (Android 11; Mobile; rv: 129.0) Gecko/129.0 Firefox/129.0
    • ^ not RFP value: to show RFP is working above
  • change to desktop-site: header + navigator
    • Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0
    • ^ happens to be the same as RFP since it's a default Linux version to indicate desktop to websites

RFP does not leak any entropy here. Note: version spoofing as ESR was removed in desktop ages ago, and then in android some time after (can't locate the bugzillas in a hurry): so there would have been a gap where mobile would have show the real version in desktop (assuming the desktop-site user agent was using RFP's algorithm). Also note that hiding the real version from JS is impossible anyway (which is why it was dropped)

Status: UNCONFIRMED → RESOLVED
Closed: 3 months ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.