Mozilla improves privacy by clamping down on social media cross-site tracking cookies

Mozilla pushed out a major revamp of Firefox yesterday, complete with a built-in password manager and enhanced privacy protection with tracking by social media websites blocked by default.

Firefox 70 comes with a bundled password management tool, Firefox Lockwise, that provides a locker for logins that users can share across devices, along with a password generator function.

The release also includes additional privacy protections with cross-site tracking cookies from sites like Facebook, Twitter, and LinkedIn now blocked by default.

The ‘Enhanced Tracking Protection’ built into the browser provides details of the trackers that Firefox has blocked more generally, as well as reports from Monitor and the Lockwise password management tool.

On the digital certificate front, the Extended Validation (EV) indicator has been moved to the identity popup that appears when clicking the lock icon in Firefox 70, effectively depreciating the prominence of the indicator.

Mozilla’s Firefox 70 release notes provide more information on security feature enhancement in the browser.

Under the hood

The Firefox update also comes with several security fixes. These include resolution for memory safety bugs (CVE-2019-11764), rated as critical as well as a number of less serious vulnerabilities.

Three of the lesser flaws – all rated as high severity rather than critical – address a heap buffer overflow in FEC processing in WebRTC, a heap overflow in expat library in XML_GetCurrentLineNumber, and a use-after-free vulnerability that arises when creating index updates in IndexedDB, respectively.

A technique to bypass Content Security Policy (CSP) left surfers browsing the web with the previous release of Firefox vulnerable to cross-site scripting (XSS) exploits.

Check out the latest browser security news from The Daily Swig

Researcher Matheus Vrech uncovered a full-blown CSP bypass in Firefox version 69, as previously reported by The Daily Swig.

The latest beta versions of Firefox were not vulnerable. Chrome, Safari, and Edge are unaffected.

Firefox 70 resolves this “CSP bypass using object tag when script-src 'none' is specified” vulnerability (CVE-2019-17001), discovered by Vrech, as well as a separate CSP bypass using object tag with data: URI security bug. Both vulnerabilities are rated as “moderate” by Mozilla.

PortSwigger researcher Gareth Heyes is credited with finding a “moderate severity cross-site scripting bug” in Firefox, also resolved with the latest release. More specifically, Heyes discovered incorrect HTML parsing results in an XSS bypass technique (CVE-2019-11763).

The find was one of a number of shortcomings in security across multiple browsers presented by Heyes at OWASP’s flagship European event late last month.

YOU MIGHT ALSO LIKE Another UXSS bug found in Safari WebKit