CVE-2018-5131 in Firefox
Summary
by MITRE
Under certain circumstances the "fetch()" API can return transient local copies of resources that were sent with a "no-store" or "no-cache" cache header instead of downloading a copy from the network as it should. This can result in previously stored, locally cached data of a website being accessible to users if they share a common profile while browsing. This vulnerability affects Firefox ESR < 52.7 and Firefox < 59.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 11/26/2025
The vulnerability described in CVE-2018-5131 represents a critical cache handling flaw within the fetch() API implementation in Mozilla Firefox browsers. This issue stems from improper interpretation of HTTP cache control directives, specifically the no-store and no-cache headers that web servers use to instruct browsers not to cache certain resources. When these headers are present in HTTP responses, the fetch() API should bypass local cache mechanisms and retrieve fresh content directly from the network source. However, the flaw allows the API to return cached local copies even when such behavior is explicitly prohibited by the server's cache control instructions.
The technical nature of this vulnerability aligns with CWE-200, which deals with exposure of sensitive information through improper access control mechanisms. The flaw operates at the application layer of the OSI model, specifically within the browser's HTTP client implementation where cache management decisions are made. When a web application makes a fetch() request to a resource that includes cache control headers, the browser's cache subsystem should respect these directives and prevent the return of stale content. The vulnerability occurs when the cache logic fails to properly evaluate the cache headers, resulting in the delivery of previously cached content instead of fresh data from the server.
The operational impact of this vulnerability extends beyond simple privacy concerns to encompass potential data leakage and session hijacking risks. When multiple users share a common browsing profile or context, such as in shared computing environments or when using browser profiles that persist across sessions, the cached content from one user's session can inadvertently be exposed to subsequent users. This creates a scenario where sensitive information from one browsing session could be accessed by another user who shares the same browser profile, effectively bypassing the intended cache control mechanisms. The vulnerability affects both Firefox Extended Support Release versions prior to 52.7 and regular Firefox versions before 59, representing a significant portion of the browser user base at the time of discovery.
This security weakness can be exploited within the context of the ATT&CK framework under the technique T1059.001 for Command and Scripting Interpreter and T1566 for Phishing, as attackers could craft malicious web content that leverages this cache bypass to access previously cached sensitive data from other users. The vulnerability essentially creates a cache poisoning scenario where legitimate cache control directives are ignored, allowing attackers to potentially retrieve cached content that should have been protected. Organizations using affected Firefox versions should implement immediate mitigations including browser updates, cache control policy enforcement, and user education about the risks of shared browsing profiles. The fix for this vulnerability required modifications to Firefox's HTTP cache subsystem to properly enforce cache control directives, ensuring that no-store and no-cache headers are respected during fetch() operations and that local copies are not returned when network retrieval is required.