Mozilla set to patch eight-year-old CSS history leak
A proposed Firefox patch promises to close a long-standing CSS security hole that leaves a browser's surfing history vulnerable to attackers.

The Mozilla Foundation has announced it is close to plugging a privacy hole that has plagued all major web browsers for nearly a decade.
The vulnerability in question is a Cascading Style Sheet (CSS) issue that leaves an internet user's web history potentially visible to attackers because of how CSS displays visited and unvisited links in different colours.
In a post on the Mozilla blog, Mozilla Security's Sid Stamm said the Foundation was close to plugging the so-called "CSS History Leak", saying the matter would be addressed in a forthcoming Firefox fix, though he didn't specify exactly when.
"We're close to landing some changes in the Firefox development tree that will fix a privacy leak that browsers have been struggling with for some time," Stamm wrote. "We're really excited about this fix, we hope other browsers will follow suit. It's a tough problem to fix, though."
Currently, all an attacker needs to do to get an accurate picture of any web user's browsing history is bombard the browser with huge lists of possible URLs and filter out those with differently coloured links, indicating the site in question has been visited.
Regularly clearing your web history is one way to tackle the issue, but with all major browsers vulnerable to a problem that has been around for some eight years, it has become a well-known and well-exploited security hole.
However, the proposed patch developed by Mozilla employee David Baron claims to fix the problem by effectively making elements within the browser and various CSS functions believe that all links are unvisited.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
In a post on his own blog, Baron said the patches were complete and only had to be put through various testing structures before being ready to send out to Firefox users.
"I have patches implementing this solution that I believe are largely complete, and which I will soon be requesting reviews on to begin the process of incorporating them into a future version of Gecko, the layout engine used by Firefox."
In reporting the news, however, Stamm did warn that there would potentially be some effect on day-to-day browsing at least until websites adapted to the new measures.
"For the most part, users shouldn't notice a change in how the web works. A few websites may look a little different, but visited links will still show up differently coloured. A few sites that use more than colour to differentiate visited links may look slightly broken at first while they adjust to these changes, but we think it's the right trade-off to be sure we protect our users' privacy," he added.
"This is a troubling and well-understood attack; as much as we hate to break any portion of the web, we need to shut the attack down to the extent we can."
-
Should AI PCs be part of your next hardware refresh?
AI PCs are fast becoming a business staple and a surefire way to future-proof your business
By Bobby Hellard Published
-
Westcon-Comstor and Vectra AI launch brace of new channel initiatives
News Westcon-Comstor and Vectra AI have announced the launch of two new channel growth initiatives focused on the managed security service provider (MSSP) space and AWS Marketplace.
By Daniel Todd Published
-
Spanish spyware outfit uncovered, develops exploits for Windows, Chrome, and Firefox
News Google was only able to discover the company after an anonymous submission was made to its Chrome bug reporting programme
By Zach Marzouk Published
-
Firefox 95 boosts protection against zero-day attacks
News Mozilla's browser now takes a more granular approach to walling off code
By Danny Bradbury Published
-
Mozilla to end support for Firefox Lockwise password manager
News Replacement service already lined up as browser specialist continues to streamline business
By Bobby Hellard Published
-
Firefox available on Microsoft Store for first time
News Gecko-based browser arrives after Microsoft removes restrictions
By Danny Bradbury Published
-
Mozilla to cut 250 jobs as part of major coronavirus restructure
News The reorganisation has been made so the company can become faster, more innovative, and find more revenue streams
By Keumars Afifi-Sabet Published
-
Why I’m leading a browser double life
Opinion There are benefits to using more than one browser
By Barry Collins Published
-
Mozilla re-hires veteran Mitchell Baker to serve as CEO
News The interim chair and CEO formally rejoins the organisation after Chris Beard stepped down in December 2019
By Keumars Afifi-Sabet Published
-
Mozilla fixes two Firefox zero-days being actively exploited
News Critical vulnerabilities allow attackers to execute arbitrary code or trigger crashes
By Carly Page Published