Този сайт ще има ограничена функционалност, докато се извършва тече неговата поддръжка. Ако дадена статия не може реши проблема ви и искате да зададете въпрос, нашата общност е готова да ви помогне на @firefox в Twitter и /r/firefox в Reddit.

Търсене в помощните статии

Избягвайте измамите при поддръжката. Никога няма да ви помолим да се обадите или изпратите SMS на телефонен номер или да споделите лична информация. Моля, докладвайте подозрителна активност на "Докладване за злоупотреба".

Научете повече

question about browser exploits

more options

If you visit a website with malicious javascript in Firefox (ver. 93), is it possible for the site to access passwords stored in the browser, or typed or stored in Mozilla Thunderbird? (I would assume that would be considered a vulnerability and if it is possible it would be patched immediately, but I also figured that it is better to ask than to "assume.")

If you visit a website with malicious javascript in Firefox (ver. 93), is it possible for the site to access passwords stored in the browser, or typed or stored in Mozilla Thunderbird? (I would assume that would be considered a vulnerability and if it is possible it would be patched immediately, but I also figured that it is better to ask than to "assume.")

Избрано решение

4232jl said

If you visit a website with malicious javascript in Firefox (ver. 93), is it possible for the site to access passwords stored in the browser, or typed or stored in Mozilla Thunderbird?

There is at least a theoretical risk to data saved in Firefox (not in Thunderbird), and a corresponding mitigation.

(1) Let's say you saved a login for Site A and you are visiting Site A. If an attacker has figured out how to inject alien scripts into Site A, it is possible for an attack script to draw a (hidden) login form in the page in the hope that your browser will autofill the username and password fields with your login. If it does, then the attack script could read that information out of the form. To avoid this risk, you can turn off autofilling of login forms. In Firefox, that's on the Settings/Preferences page:

With autofill off, any saved login(s) will be suggested in a drop-down so you can fill the form with one click on the drop-down.

(2) If you are visiting a site you have NOT saved a login for, it's very difficult to think of any method an attack script could use to access saved logins. Scripts have a standard set of interfaces they can use to obtain browser information, and there is no interface for reading saved logins.

It's not possible to completely rule out a programming error, of course, so if such a serious vulnerability were to be reported to Mozilla, it likely would be fixed within the usual update cycle (4 weeks) or faster.

Прочетете този отговор в контекста 👍 0

Всички отговори (2)

more options

I would think that they would catch such intrusions. I personally have no such problems my self. wish you good luck and stay safe.

more options

Избрано решение

4232jl said

If you visit a website with malicious javascript in Firefox (ver. 93), is it possible for the site to access passwords stored in the browser, or typed or stored in Mozilla Thunderbird?

There is at least a theoretical risk to data saved in Firefox (not in Thunderbird), and a corresponding mitigation.

(1) Let's say you saved a login for Site A and you are visiting Site A. If an attacker has figured out how to inject alien scripts into Site A, it is possible for an attack script to draw a (hidden) login form in the page in the hope that your browser will autofill the username and password fields with your login. If it does, then the attack script could read that information out of the form. To avoid this risk, you can turn off autofilling of login forms. In Firefox, that's on the Settings/Preferences page:

With autofill off, any saved login(s) will be suggested in a drop-down so you can fill the form with one click on the drop-down.

(2) If you are visiting a site you have NOT saved a login for, it's very difficult to think of any method an attack script could use to access saved logins. Scripts have a standard set of interfaces they can use to obtain browser information, and there is no interface for reading saved logins.

It's not possible to completely rule out a programming error, of course, so if such a serious vulnerability were to be reported to Mozilla, it likely would be fixed within the usual update cycle (4 weeks) or faster.