Mozilla this week released Firefox 88 in the stable channel with patches for a dozen vulnerabilities and with improved user privacy, obtained through isolating the window.name property to the website that created it.
For over two decades, the window.name property has been available for websites to store whatever data they choose to, but such data has often been allowed to leak between sites, essentially allowing for the tracking of users across the pages they visit.
The data that websites stored in window.name, Mozilla explains, has been exempt from the same-origin policy that prevented information sharing between websites. Thus, sites were able to share data about users via the window.name property.
“Tracking companies have been abusing this property to leak information, and have effectively turned it into a communication channel for transporting data between websites. Worse, malicious sites have been able to observe the content of window.name to gather private user data that was inadvertently leaked by another website,” Mozilla says.
To put a stop to this behavior, Firefox will no longer allow websites to access the window.name set by other sites by clearing the property when users navigate to new websites. Whenever the user navigates back to a website, Firefox will restore the property to its previous value for that site.
“Firefox will attempt to identify likely non-harmful usage of window.name and avoid clearing the property in such cases. Specifically, Firefox only clears window.name if the link being clicked does not open a pop-up window,” Mozilla says.
These rules, the browser maker notes, will work in a manner similar to how Total Cookie Protection confines cookies to the websites that created them and should prevent malicious sites from abusing window.name to harvest user data.
Firefox 88 also includes patches for four high-severity flaws, six medium-severity bugs, and two low-severity security issues, along with fixes for various memory safety bugs collectively tracked as CVE-2021-29947 and which could lead to arbitrary code execution.