Download Firefox

Firefox is no longer supported on Windows 8.1 and below.

Please download Firefox ESR (Extended Support Release) to use Firefox.

Firefox is no longer supported on macOS 10.14 and below.

Please download Firefox ESR (Extended Support Release) to use Firefox.

Firefox Privacy Notice

Mozilla Foundation Security Advisory 2010-33

User tracking across sites using Math.random()

Announced
June 22, 2010
Reporter
Amit Klein
Impact
Low
Products
Firefox, SeaMonkey
Fixed in
  • Firefox 3.5.10
  • Firefox 3.5.12
  • Firefox 3.6.4
  • Firefox 3.6.9
  • SeaMonkey 2.0.5

Description

Security researcher Amit Klein reported that it was possible to reverse engineer the value used to seed Math.random(). Since the pseudo-random number generator was only seeded once per browsing session, this seed value could be used as a unique token to identify and track users across different web sites.

Update (October 27, 2010): After the Firefox 3.6.4 and Firefox 3.5.10 releases, Amit Klein reported that there was an additional unfixed case where user tracking could occur using the above-mentioned technique and a pop-up window or iframe that was subsequently navigated by the user. This additional variant is identified as CVE-2010-3171.

References