搜尋 Mozilla 技術支援網站

防止技術支援詐騙。我們絕對不會要求您撥打電話或發送簡訊,或是提供個人資訊。請用「回報濫用」功能回報可疑的行為。

了解更多

question about browser exploits

more options

If you visit a website with malicious javascript in Firefox (ver. 93), is it possible for the site to access passwords stored in the browser, or typed or stored in Mozilla Thunderbird? (I would assume that would be considered a vulnerability and if it is possible it would be patched immediately, but I also figured that it is better to ask than to "assume.")

If you visit a website with malicious javascript in Firefox (ver. 93), is it possible for the site to access passwords stored in the browser, or typed or stored in Mozilla Thunderbird? (I would assume that would be considered a vulnerability and if it is possible it would be patched immediately, but I also figured that it is better to ask than to "assume.")

被選擇的解決方法

4232jl said

If you visit a website with malicious javascript in Firefox (ver. 93), is it possible for the site to access passwords stored in the browser, or typed or stored in Mozilla Thunderbird?

There is at least a theoretical risk to data saved in Firefox (not in Thunderbird), and a corresponding mitigation.

(1) Let's say you saved a login for Site A and you are visiting Site A. If an attacker has figured out how to inject alien scripts into Site A, it is possible for an attack script to draw a (hidden) login form in the page in the hope that your browser will autofill the username and password fields with your login. If it does, then the attack script could read that information out of the form. To avoid this risk, you can turn off autofilling of login forms. In Firefox, that's on the Settings/Preferences page:

With autofill off, any saved login(s) will be suggested in a drop-down so you can fill the form with one click on the drop-down.

(2) If you are visiting a site you have NOT saved a login for, it's very difficult to think of any method an attack script could use to access saved logins. Scripts have a standard set of interfaces they can use to obtain browser information, and there is no interface for reading saved logins.

It's not possible to completely rule out a programming error, of course, so if such a serious vulnerability were to be reported to Mozilla, it likely would be fixed within the usual update cycle (4 weeks) or faster.

從原來的回覆中察看解決方案 👍 0

所有回覆 (2)

more options

I would think that they would catch such intrusions. I personally have no such problems my self. wish you good luck and stay safe.

more options

選擇的解決方法

4232jl said

If you visit a website with malicious javascript in Firefox (ver. 93), is it possible for the site to access passwords stored in the browser, or typed or stored in Mozilla Thunderbird?

There is at least a theoretical risk to data saved in Firefox (not in Thunderbird), and a corresponding mitigation.

(1) Let's say you saved a login for Site A and you are visiting Site A. If an attacker has figured out how to inject alien scripts into Site A, it is possible for an attack script to draw a (hidden) login form in the page in the hope that your browser will autofill the username and password fields with your login. If it does, then the attack script could read that information out of the form. To avoid this risk, you can turn off autofilling of login forms. In Firefox, that's on the Settings/Preferences page:

With autofill off, any saved login(s) will be suggested in a drop-down so you can fill the form with one click on the drop-down.

(2) If you are visiting a site you have NOT saved a login for, it's very difficult to think of any method an attack script could use to access saved logins. Scripts have a standard set of interfaces they can use to obtain browser information, and there is no interface for reading saved logins.

It's not possible to completely rule out a programming error, of course, so if such a serious vulnerability were to be reported to Mozilla, it likely would be fixed within the usual update cycle (4 weeks) or faster.