Mozilla Foundation Security Advisory 2016-59

Information disclosure of disabled plugins through CSS pseudo-classes

Announced
June 7, 2016
Reporter
John Schoenick
Impact
Moderate
Products
Firefox
Fixed in
  • Firefox 47

Description

Mozilla developer John Schoenick reported that CSS pseudo-classes can be used by web content to leak information on plugins that are installed but disabled. This can be used for information disclosure through a fingerprinting attack that lists all of the plugins installed by a user on a system, even when they are disabled.

References