This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Hierdie gesprek is in die argief. Vra asseblief 'n nuwe vraag as jy hulp nodig het.

question about browser exploits

more options

If you visit a website with malicious javascript in Firefox (ver. 93), is it possible for the site to access passwords stored in the browser, or typed or stored in Mozilla Thunderbird? (I would assume that would be considered a vulnerability and if it is possible it would be patched immediately, but I also figured that it is better to ask than to "assume.")

If you visit a website with malicious javascript in Firefox (ver. 93), is it possible for the site to access passwords stored in the browser, or typed or stored in Mozilla Thunderbird? (I would assume that would be considered a vulnerability and if it is possible it would be patched immediately, but I also figured that it is better to ask than to "assume.")

Gekose oplossing

4232jl said

If you visit a website with malicious javascript in Firefox (ver. 93), is it possible for the site to access passwords stored in the browser, or typed or stored in Mozilla Thunderbird?

There is at least a theoretical risk to data saved in Firefox (not in Thunderbird), and a corresponding mitigation.

(1) Let's say you saved a login for Site A and you are visiting Site A. If an attacker has figured out how to inject alien scripts into Site A, it is possible for an attack script to draw a (hidden) login form in the page in the hope that your browser will autofill the username and password fields with your login. If it does, then the attack script could read that information out of the form. To avoid this risk, you can turn off autofilling of login forms. In Firefox, that's on the Settings/Preferences page:

With autofill off, any saved login(s) will be suggested in a drop-down so you can fill the form with one click on the drop-down.

(2) If you are visiting a site you have NOT saved a login for, it's very difficult to think of any method an attack script could use to access saved logins. Scripts have a standard set of interfaces they can use to obtain browser information, and there is no interface for reading saved logins.

It's not possible to completely rule out a programming error, of course, so if such a serious vulnerability were to be reported to Mozilla, it likely would be fixed within the usual update cycle (4 weeks) or faster.

Lees dié antwoord in konteks 👍 0

All Replies (2)

more options

I would think that they would catch such intrusions. I personally have no such problems my self. wish you good luck and stay safe.

more options

Gekose oplossing

4232jl said

If you visit a website with malicious javascript in Firefox (ver. 93), is it possible for the site to access passwords stored in the browser, or typed or stored in Mozilla Thunderbird?

There is at least a theoretical risk to data saved in Firefox (not in Thunderbird), and a corresponding mitigation.

(1) Let's say you saved a login for Site A and you are visiting Site A. If an attacker has figured out how to inject alien scripts into Site A, it is possible for an attack script to draw a (hidden) login form in the page in the hope that your browser will autofill the username and password fields with your login. If it does, then the attack script could read that information out of the form. To avoid this risk, you can turn off autofilling of login forms. In Firefox, that's on the Settings/Preferences page:

With autofill off, any saved login(s) will be suggested in a drop-down so you can fill the form with one click on the drop-down.

(2) If you are visiting a site you have NOT saved a login for, it's very difficult to think of any method an attack script could use to access saved logins. Scripts have a standard set of interfaces they can use to obtain browser information, and there is no interface for reading saved logins.

It's not possible to completely rule out a programming error, of course, so if such a serious vulnerability were to be reported to Mozilla, it likely would be fixed within the usual update cycle (4 weeks) or faster.