Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Privacy

Firefox 88 Combats Cross-Site Tracking to Improve User Privacy

Mozilla this week released Firefox 88 in the stable channel with patches for a dozen vulnerabilities and with improved user privacy, obtained through isolating the window.name property to the website that created it.

Mozilla this week released Firefox 88 in the stable channel with patches for a dozen vulnerabilities and with improved user privacy, obtained through isolating the window.name property to the website that created it.

For over two decades, the window.name property has been available for websites to store whatever data they choose to, but such data has often been allowed to leak between sites, essentially allowing for the tracking of users across the pages they visit.

The data that websites stored in window.name, Mozilla explains, has been exempt from the same-origin policy that prevented information sharing between websites. Thus, sites were able to share data about users via the window.name property.

“Tracking companies have been abusing this property to leak information, and have effectively turned it into a communication channel for transporting data between websites. Worse, malicious sites have been able to observe the content of window.name to gather private user data that was inadvertently leaked by another website,” Mozilla says.

To put a stop to this behavior, Firefox will no longer allow websites to access the window.name set by other sites by clearing the property when users navigate to new websites. Whenever the user navigates back to a website, Firefox will restore the property to its previous value for that site.

“Firefox will attempt to identify likely non-harmful usage of window.name and avoid clearing the property in such cases. Specifically, Firefox only clears window.name if the link being clicked does not open a pop-up window,” Mozilla says.

These rules, the browser maker notes, will work in a manner similar to how Total Cookie Protection confines cookies to the websites that created them and should prevent malicious sites from abusing window.name to harvest user data.

Firefox 88 also includes patches for four high-severity flaws, six medium-severity bugs, and two low-severity security issues, along with fixes for various memory safety bugs collectively tracked as CVE-2021-29947 and which could lead to arbitrary code execution.

Advertisement. Scroll to continue reading.

Related: Firefox 87 Adds Stronger User Privacy Protections

Related: Chrome, Edge and Firefox May Leak Information on Installed Apps

Related: Firefox Flaw Allowed Hackers to Remotely Open Malicious Sites on Android Phones

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

Cybercrime

Daniel Kelley was just 18 years old when he was arrested and charged on thirty counts – most infamously for the 2015 hack of...

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Ransomware

The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.

Privacy

Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...