1952268 - (CVE-2025-3035) AI Shortcuts leak the tab title and `<browser>` they are first opened in for the window

Status: VERIFIED FIXED

(Core :: Machine Learning: General, defect, P1)

Description

[Matthew N. [:MattN]]

Attachment: Screenshot of the browser toolbox showing the same `mouseover` listener registered multiple times

The AI Chat Shortcuts feature doesn't clean up its mouseover listener and the UI element is shared across all tabs in a browser window so the first tab to use the feature is the one always used for determining the tab title to include in the chat message. The reference to that first browser where its used is also kept alive until the window closes. It seems like the mouseover listener was never removed since the initial implementation in Jul 2024 as I don't see any removeEventListener there. I'm surprised the add/remove event listener lint rules didn't catch this.

Incorrect tab title disclosure STR:

1. Turn on the AI Chatbot feature
2. Open the following URL in a private window data:text/html,<title>Embarassing tab title</title>Foo
3. Select the text "Foo"
4. Hover over the AI Chatbot Shortcuts icon that appears
5. Open a tab with the URL https://example.com
6. Select some text on example.com
7. Hover the AI Chatbot Shortcuts icon that appears
8. Choose "Explain this" or another option that includes the tab title in the chat message

Expected result:
The chat message contains <tabTitle>Example Domain</tabTitle>.

Actual result:
The chat message contains <tabTitle>Embarassing tab title</tabTitle> and leaks this tab title to the AI provider.

== Memory leak ==
If I close the "Embarassing tab title" tab, the <browser> is kept alive until the window closes as the mouseover listener is never removed and its function keeps the browser alive.

Comment 1

[Matthew N. [:MattN]]

Attachment: Screenshot of the Wrong Tab Title in AI Chat

Comment 2

[Ed Lee :Mardak]

at a glance, this behavior probably changed with bug 1922623

Comment 3

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1922623

Comment 4

[Ed Lee :Mardak]

previously the lifespan of the element was tied to the current tab. now it's associated to the first tab that showed the shortcut, so the title of the original tab title is leaked as long as the tab is open and user selects a shortcut on a different tab. closing the original tab makes the title unavailable

Comment 5

[Ed Lee :Mardak]

Attachment: Bug 1952268 - shortcuts listener should be handled by current show r=ngrato!

Avoid duplicate listeners by removing on hide.

Comment 6

[Ed Lee :Mardak]

Comment on attachment 9470342 [details]
Bug 1952268 - shortcuts listener should be handled by current show r=ngrato!

Security Approval Request

• How easily could an exploit be constructed based on the patch?: it currently includes a test to open a second tab and show shortcuts. unclear the expected security rating for this opt-in feature that requires user selecting a provider then text then hovering then selecting again on another tab. and the leaked title is presumably of the tab previously sent from the first interaction
• Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Unknown
• Which branches (beta, release, and/or ESR) are affected by this flaw, and do the release status flags reflect this affected/unaffected state correctly?: beta, release
• If not all supported branches, which bug introduced the flaw?: None
• Do you have backports for the affected branches?: Yes
• If not, how different, hard to create, and risky will they be?:
• How likely is this patch to cause regressions; how much testing does it need?: removes duplicate listeners but changing scope introduced this regression in the first place
• Is the patch ready to land after security approval is given?: Yes
• Is Android affected?: No

Comment 7

[Tom Ritter [:tjr]]

Comment on attachment 9470342 [details]
Bug 1952268 - shortcuts listener should be handled by current show r=ngrato!

Approved to land and request uplift if desired

Comment 8

[Pulsebot]

Pushed by elee@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/2d720a01dd6d
shortcuts listener should be handled by current show r=ngrato,firefox-ai-ml-reviewers

Comment 9

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/mozilla-central/rev/2d720a01dd6d

Comment 10

[BugBot [:suhaib / :marco/ :calixte]]

The patch landed in nightly and beta is affected.
:Mardak, is this bug important enough to require an uplift?

• If yes, please nominate the patch for beta approval.
• If no, please set status-firefox137 to wontfix.

For more information, please visit BugBot documentation.

Comment 11

[Ed Lee :Mardak]

Attachment: Bug 1952268 - shortcuts listener should be handled by current show

Avoid duplicate listeners by removing on hide.

Original Revision: https://phabricator.services.mozilla.com/D240656

Comment 12

[Phabricator Automation]

beta Uplift Approval Request

• User impact if declined: missing/incorrect tab title when using chatbot selection feature
• Code covered by automated testing: yes
• Fix verified in Nightly: yes
• Needs manual QE test: yes
• Steps to reproduce for manual QE testing: 1. enable chatbot with provider 2. select text from one tab 3. select text from another tab
• Risk associated with taking this patch: low
• Explanation of risk level: simplify logic to avoid duplicates
• String changes made/needed: none
• Is Android affected?: no

Comment 13

[Pulsebot]

https://hg.mozilla.org/releases/mozilla-beta/rev/5bc7ee466651

Comment 14

[Ciprian Georgiu, Desktop QA]

I've reproduced this bug using an affected Nightly build (2025-03-26), with STR from comment 0.

The issue is verified as fixed on latest Nightly 138.0a1, and Beta 137.0b5 (treeherder build), running Win 11, Ubuntu 24.04 and macOS 14.

Comment 15

[Tom Schuster (MoCo)]

Attachment: advisory.txt