CVE-2018-12367 in Firefox
Summary
by MITRE
In the previous mitigations for Spectre, the resolution or precision of various methods was reduced to counteract the ability to measure precise time intervals. In that work PerformanceNavigationTiming was not adjusted but it was found that it could be used as a precision timer. This vulnerability affects Thunderbird < 60, Firefox ESR < 60.1, and Firefox < 61.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 11/26/2025
The vulnerability described in CVE-2018-12367 represents a significant bypass of security mitigations implemented to address the Spectre vulnerability family. This flaw specifically targets the performance measurement capabilities within web browsers that were designed to prevent side-channel attacks exploiting speculative execution. The issue emerged from the incomplete nature of previous Spectre mitigations, where developers focused on reducing precision in certain timing mechanisms but overlooked the PerformanceNavigationTiming API. This oversight allowed attackers to leverage the API as a high-precision timing mechanism, effectively undermining the security measures intended to prevent information leakage through timing-based side channels.
The technical flaw resides in the PerformanceNavigationTiming interface, which provides detailed timing information about navigation events in web browsers. This API was not properly adjusted during the Spectre mitigations, leaving it capable of measuring extremely precise time intervals that could be exploited for side-channel attacks. The vulnerability specifically affects Mozilla Thunderbird versions prior to 60, Firefox Extended Support Release versions prior to 60.1, and standard Firefox versions prior to 61. These affected versions retained the unmitigated PerformanceNavigationTiming functionality, creating a persistent attack vector that could be used to extract sensitive information through timing measurements. The flaw operates under the broader category of timing side-channel attacks that were specifically targeted by the Spectre vulnerability family.
The operational impact of this vulnerability is substantial as it enables attackers to perform precise timing measurements that could reveal sensitive information through side-channel attacks. Attackers could potentially extract cryptographic keys, passwords, or other confidential data by measuring the time differences in specific operations, particularly when these operations are influenced by secret values. This capability directly contradicts the fundamental security goals of the Spectre mitigations and creates a pathway for attackers to bypass the protections that were implemented to prevent such information leakage. The vulnerability affects widely used browser applications, making it a significant concern for organizations and individuals relying on these platforms for secure communications.
The mitigation strategy for this vulnerability required the modification of the PerformanceNavigationTiming API to reduce its precision and prevent it from serving as a timing mechanism for side-channel attacks. This approach aligns with the broader security principles outlined in the Common Weakness Enumeration framework where timing-based side channels are classified as specific weaknesses that can lead to information disclosure. The fix involved implementing additional restrictions on the timing measurements available through the API, ensuring that the precision is reduced to levels that prevent effective side-channel attacks while maintaining the API's functionality for legitimate performance monitoring purposes. This solution demonstrates the complexity of addressing Spectre-related vulnerabilities, as it requires careful balance between maintaining application functionality and preventing security bypasses, particularly in the context of the attack techniques catalogued under the ATT&CK framework where timing attacks are recognized as a specific method of information extraction.