But if you yourself are that careless driver… that’s like the risk posed by UXSS, because it goes along with you everywhere. You can always watch out for and do your best to avoid the careless ones.
#FIREFOX UPDATE DRIVERS#
If you go out in your car and one of the many drivers you encounter is careless and could get you into an accident, that’s a bit like the risk of XSS.
#FIREFOX UPDATE UPDATE#
So this is definitely an update you want if you use Firefox on Android. Loosely speaking, a UXSS is an XSS risk that applies wherever and whenever you browse, typically even when you visit well-maintained web servers that are themselves secure against site-specific XSS attacks.
#FIREFOX UPDATE CODE#
Imagine, for example, that I can trick your website into serving up JavaScript of my choosing, for example by sneakily embedding some JavaScript in a search link in such a way that your server erroneously reproduces my unmodified JavaScript in any replies sent back to those who click on that link.Įven though it’s my script, it came back from your server, so my code passes the “same origin policy” test, giving me access to data about your users that I shouldn’t be able to see.īut UXSS is the name given to a cross-site scripting flaw that is caused by a bug right inside your browser, not merely a bug on one specific website. One trick often used by crooks to violate the SOP is plain old Cross-site Scripting (XSS), which is the name given to any JavaScript-based privacy flaw that affects a specific website.
This helps to maintain security and privacy by preventing websites from leeching information about each other’s users. Your browser is supposed to stop data such as cookies “leaking” between websites, or else site Y could peek at data such as your login details for site X, and abuse that site-specific data to masquerade as you on site X and hijack your account.īrowsers are supposed to enforce the aptly-named Same Origin Policy, or SOP, whereby locally-saved web data is locked down so it can only be read back in later on by the same website that saved it in the first place. That’s definitely not supposed to happen. The bug listed here is what’s known as a Universal Cross-site Scripting (UXSS) vulnerability, which means it’s a way for attackers to access private browser data from website X while you are browsing on booby-trapped website Y. Further details are being temporarily withheld to allow users an opportunity to update. This issue only affected Firefox for Android.
#FIREFOX UPDATE PATCH#
In the case of Firefox’s latest update we can at least partly answer that question for Android users, because the latest 88.0.1 “point release” of Mozilla’s browser lists only one security patch dubbed critical, namely CVE-2021-29953: Usually, when browser updates come out, it’s obvious what to do if you’re running that browser on your laptop or desktop computer.īut we often get questions from readers (questions that we can’t always answer) wondering what to do if they’re using that browser on their mobile phone, where version numbering is often bewildering.