Mozilla set to patch eight-year-old CSS history leak
A proposed Firefox patch promises to close a long-standing CSS security hole that leaves a browser's surfing history vulnerable to attackers.

The Mozilla Foundation has announced it is close to plugging a privacy hole that has plagued all major web browsers for nearly a decade.
The vulnerability in question is a Cascading Style Sheet (CSS) issue that leaves an internet user's web history potentially visible to attackers because of how CSS displays visited and unvisited links in different colours.
In a post on the Mozilla blog, Mozilla Security's Sid Stamm said the Foundation was close to plugging the so-called "CSS History Leak", saying the matter would be addressed in a forthcoming Firefox fix, though he didn't specify exactly when.
"We're close to landing some changes in the Firefox development tree that will fix a privacy leak that browsers have been struggling with for some time," Stamm wrote. "We're really excited about this fix, we hope other browsers will follow suit. It's a tough problem to fix, though."
Currently, all an attacker needs to do to get an accurate picture of any web user's browsing history is bombard the browser with huge lists of possible URLs and filter out those with differently coloured links, indicating the site in question has been visited.
Regularly clearing your web history is one way to tackle the issue, but with all major browsers vulnerable to a problem that has been around for some eight years, it has become a well-known and well-exploited security hole.
However, the proposed patch developed by Mozilla employee David Baron claims to fix the problem by effectively making elements within the browser and various CSS functions believe that all links are unvisited.
Get the ITPro. daily newsletter
Sign up today and you will receive a free copy of our Focus Report 2025 - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
In a post on his own blog, Baron said the patches were complete and only had to be put through various testing structures before being ready to send out to Firefox users.
"I have patches implementing this solution that I believe are largely complete, and which I will soon be requesting reviews on to begin the process of incorporating them into a future version of Gecko, the layout engine used by Firefox."
In reporting the news, however, Stamm did warn that there would potentially be some effect on day-to-day browsing at least until websites adapted to the new measures.
"For the most part, users shouldn't notice a change in how the web works. A few websites may look a little different, but visited links will still show up differently coloured. A few sites that use more than colour to differentiate visited links may look slightly broken at first while they adjust to these changes, but we think it's the right trade-off to be sure we protect our users' privacy," he added.
"This is a troubling and well-understood attack; as much as we hate to break any portion of the web, we need to shut the attack down to the extent we can."

‘If you want to look like a flesh-bound chatbot, then by all means use an AI teleprompter’: Amazon banned candidates from using AI tools during interviews – here’s why you should never use them to secure a job

Businesses must get better at sharing cyber information, urges former GCHQ chief

AI PCs are becoming a no-brainer for IT decision makers