CVE-2019-11743 in Firefox
Summary
by MITRE
Navigation events were not fully adhering to the W3C's "Navigation-Timing Level 2" draft specification in some instances for the unload event, which restricts access to detailed timing attributes to only be same-origin. This resulted in potential cross-origin information exposure of history through timing side-channel attacks. This vulnerability affects Firefox < 69, Thunderbird < 68.1, Thunderbird < 60.9, Firefox ESR < 60.9, and Firefox ESR < 68.1.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 11/26/2025
The vulnerability described in CVE-2019-11743 represents a significant information disclosure flaw in web browser implementations that relates to the Navigation Timing API specification. This issue specifically impacts how browsers handle navigation events, particularly the unload event, when processing timing data according to the W3C Navigation-Timing Level 2 draft specification. The core problem lies in the inconsistent implementation of cross-origin security restrictions that should prevent detailed timing information from being exposed across different origins. When browsers fail to properly enforce these restrictions, they create opportunities for malicious actors to exploit timing side-channel attacks that can reveal sensitive information about a user's browsing history.
The technical flaw manifests in the browser's handling of navigation events where the unload event does not fully comply with the specification's requirements for same-origin access restrictions. According to the W3C specification, timing attributes should only be accessible to same-origin contexts to prevent cross-origin information leakage. However, this vulnerability allows for partial timing data exposure that can be collected through timing side-channel attacks. The implementation deviation creates a window where attackers can infer information about navigation patterns and browsing history by measuring the time intervals between navigation events, effectively bypassing the intended security boundaries that should protect users from cross-origin data collection.
This vulnerability has substantial operational impact on affected browser versions including Firefox versions prior to 69, Thunderbird versions prior to 68.1 and 60.9, as well as their respective ESR (Extended Support Release) versions. The security implications extend beyond simple information disclosure to potentially enable sophisticated tracking mechanisms that could compromise user privacy and anonymity. Attackers can leverage this vulnerability to reconstruct user navigation patterns, identify visited websites, and potentially correlate browsing behavior across different sessions. The timing side-channel attacks exploit the fact that different websites have varying load times and navigation characteristics, allowing for inference of sensitive information about user activities and preferences.
The vulnerability aligns with CWE-200 (Information Exposure) and represents a specific implementation gap in web security standards that can be categorized under ATT&CK technique T1566 (Phishing) and T1592 (Gather Victim Host Information) in threat actor methodologies. Organizations and users running affected browser versions face increased risk of privacy breaches and tracking activities that could lead to targeted advertising, surveillance, or even more sophisticated social engineering attacks. The remediation approach requires updating to patched browser versions where proper adherence to the Navigation-Timing Level 2 specification has been implemented, ensuring that timing attributes are correctly restricted to same-origin contexts and that unload event handling properly enforces cross-origin security boundaries.