Closed Bug 1886687 Opened 2 years ago Closed 1 year ago

Timezone leak through document.lastModified when using RFP

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
126 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- wontfix
firefox124 --- wontfix
firefox125 --- wontfix
firefox126 + fixed

People

(Reporter: pierov, Assigned: pierov)

References

Details

(4 keywords, Whiteboard: [fingerprinting] [adv-main126-])

Attachments

(3 files)

Bug 1886687: Report document.lastModified in UTC when using RFP. r?tjr
48 bytes, text/x-phabricator-request
Details | Review
verified.png
9.68 KB, image/png
Details
advisory.txt
236 bytes, text/plain
Details

document.lastModified is in local time, and as a result it leaks the timezone also when using RFP (e.g., when coupled with DOMParser, which will create a document modified now):

const parser = new DOMParser();
const doc = parser.parseFromString('<p></p>', 'text/html')
const lastModified = new Date(doc.lastModified.replace(/(\d{2})\/(\d{2})\/(\d{4})/, "$3-$1-$2"));
const offset = Math.ceil((lastModified - new Date()) / 1000);
document.write(offset);

We are including a fix for this in the next Tor Browser alpha release, but we are waiting for the release of April 16 to include it in the stable channel.
Therefore, I kindly ask you to keep this Bug confidential until then.
Thanks in advance.

Severity: -- → S3
Group: core-security → dom-core-security
Keywords: csectype-disclosure, privacy, sec-low
Whiteboard: [fingerprinting]

There is an r+ patch which didn't land and no activity in this bug for 2 weeks.
:pierov, could you have a look please?
If you still have some work to do, you can add an action "Plan Changes" in Phabricator.
For more information, please visit BugBot documentation.

Flags: needinfo?(tom)
Flags: needinfo?(pierov)

We were waiting to land it, and Piero asked me today

Flags: needinfo?(tom)
Flags: needinfo?(pierov)
Pushed by tritter@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/1afd9f5180c4 Report document.lastModified in UTC when using RFP. r=tjr

https://hg.mozilla.org/mozilla-central/rev/1afd9f5180c4

Group: dom-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 1 year ago
status-firefox126: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 126 Branch
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-
Attached image verified.png

verified fixed

  • the first value (DOMParser lastModified) 2024-04-17 05:29:31 is UTC time
  • the second value 2024-04-17 17:29:31 [-720] is my real time (12 hrs ahead) taken from XSLT (bug 1891690)

:dveditz do want to uplift this to esr115?
(it grafts cleanly, checking before reaching out for an uplift request)

Flags: needinfo?(dveditz)

No - while the patch applies, it will not compile.

Flags: needinfo?(dveditz)
Regressions: 1781855
Whiteboard: [fingerprinting] → [fingerprinting] [adv-main126+]
Whiteboard: [fingerprinting] [adv-main126+] → [fingerprinting] [adv-main126-]

We patched our channels downstream, so it's okay for us to lift confidentiality.
Thanks again!

Group: core-security-release

Sorry for the burst of bugspam: filter on tinkling-glitter-filtrate
Adding reporter-external keyword to security bugs found by non-employees for accounting reasons

Keywords: reporter-external
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: