Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Privacy

Firefox 88 Combats Cross-Site Tracking to Improve User Privacy

Mozilla this week released Firefox 88 in the stable channel with patches for a dozen vulnerabilities and with improved user privacy, obtained through isolating the window.name property to the website that created it.

Mozilla this week released Firefox 88 in the stable channel with patches for a dozen vulnerabilities and with improved user privacy, obtained through isolating the window.name property to the website that created it.

For over two decades, the window.name property has been available for websites to store whatever data they choose to, but such data has often been allowed to leak between sites, essentially allowing for the tracking of users across the pages they visit.

The data that websites stored in window.name, Mozilla explains, has been exempt from the same-origin policy that prevented information sharing between websites. Thus, sites were able to share data about users via the window.name property.

“Tracking companies have been abusing this property to leak information, and have effectively turned it into a communication channel for transporting data between websites. Worse, malicious sites have been able to observe the content of window.name to gather private user data that was inadvertently leaked by another website,” Mozilla says.

To put a stop to this behavior, Firefox will no longer allow websites to access the window.name set by other sites by clearing the property when users navigate to new websites. Whenever the user navigates back to a website, Firefox will restore the property to its previous value for that site.

“Firefox will attempt to identify likely non-harmful usage of window.name and avoid clearing the property in such cases. Specifically, Firefox only clears window.name if the link being clicked does not open a pop-up window,” Mozilla says.

These rules, the browser maker notes, will work in a manner similar to how Total Cookie Protection confines cookies to the websites that created them and should prevent malicious sites from abusing window.name to harvest user data.

Firefox 88 also includes patches for four high-severity flaws, six medium-severity bugs, and two low-severity security issues, along with fixes for various memory safety bugs collectively tracked as CVE-2021-29947 and which could lead to arbitrary code execution.

Related: Firefox 87 Adds Stronger User Privacy Protections

Related: Chrome, Edge and Firefox May Leak Information on Installed Apps

Related: Firefox Flaw Allowed Hackers to Remotely Open Malicious Sites on Android Phones

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Ransomware

US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive...

Ransomware

The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.

Privacy

The EU's digital policy chief warned TikTok’s boss that the social media app must fall in line with tough new rules for online platforms...

Cybercrime

The owner of China-based cryptocurrency exchange Bitzlato was arrested in Miami along with five associates in Europe

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Privacy

Meta was fined an additional $5.9 million for violating EU data protection regulations with WhatsApp messaging app.

Cyberwarfare

Google Project Zero has disclosed the details of three Samsung phone vulnerabilities that have been exploited by a spyware vendor since when they still...