Closed Bug 1986155 Opened 5 months ago Closed 5 months ago

Temporary Private Browsing Storage Leak in Firefox

Categories

(Core :: Storage: IndexedDB, defect)

Product:
Core
Component:
Storage: IndexedDB
Type:
defect

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: mrnoob790, Unassigned)

References

Details

(Keywords: reporter-external, Whiteboard: [client-bounty-form])

Description

In Firefox Private Browsing Mode, local traces of browsing activity should not be stored on disk. However, during an active private session, browsing data is temporarily written to:
storage/<private>/<UUID>/
For example, visiting https://faz.net and playing an embedded YouTube video creates a temporary folder containing IndexedDB and cache data. This folder persists until the private tab is closed, violating the expectation that private sessions leave no local traces.

Steps to Reproduce

Open Firefox Nightly / Latest version.

Go to about:config and set:
dom.caches.hide_in_pbmode.enabled = false

Open a Private Browsing Window.

Visit: https://faz.net

Scroll and play an embedded YouTube video.

While the private tab is open, check your Firefox profile directory:
<profile_path>/storage/<private>/
bserve a UUID-named folder containing temporary storage data.

Close the private tab and confirm that the folder is automatically deleted.

Expected Behavior

No private browsing data should be written to disk at any point.

Actual Behavior

Temporary storage data is written to storage/<private>/<UUID>/ during the session.

The data is deleted only when the private tab is closed.

Impact

Privacy Violation: Local attackers or malware can access browsing activity during an active session.
Temporary Forensic Risk: Sensitive data from private browsing could be extracted before tab closure.

Users’ expectation that private browsing leaves no traces is broken.

Flags: sec-bounty?

That is intentional. The data on disk is encrypted.

Group: firefox-core-security → dom-core-security
Component: Security → Storage: IndexedDB
Product: Firefox → Core

Harveer, can we close this as INVALID or something? Thanks.

Flags: needinfo?(hsingh)

(In reply to Andrew McCreight [:mccr8] from comment #1)

That is intentional. The data on disk is encrypted.

Confirming this. In order to support more sophisticated use cases in Private Browsing Mode with larger data sets it was not viable to only store PBM data in memory, so the data is safely written to disk in an encrypted form but without persisting the encryption key to disk. By policy, PBM data is retained until the session is closed so the data continues to be available during the session. We clear the data at shutdown, or in the event of unclean shutdown, we purge the (encrypted) data at the next startup.

Status: UNCONFIRMED → RESOLVED
Closed: 5 months ago
Flags: needinfo?(hsingh)
Resolution: --- → INVALID

Okk

Group: dom-core-security
Flags: sec-bounty? → sec-bounty-
See Also: → idb-private-browsing
You need to log in before you can comment on or make changes to this bug.