CVE-2024-4767 in Thunderbird
Summary
by MITRE • 05/14/2024
If the `browser.privatebrowsing.autostart` preference is enabled, IndexedDB files were not properly deleted when the window was closed. This preference is disabled by default in Firefox. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 04/02/2025
This vulnerability in Firefox and Thunderbird represents a critical privacy and data persistence issue that arises from improper handling of IndexedDB storage during private browsing sessions. The flaw specifically manifests when the `browser.privatebrowsing.autostart` preference is enabled, which automatically initiates private browsing mode upon browser launch. When this setting is active, the browser fails to properly clean up IndexedDB files that are created during the private browsing session, leaving behind potentially sensitive data that should have been automatically destroyed upon window closure. This represents a direct violation of fundamental privacy principles where temporary data storage mechanisms do not properly respect the ephemeral nature of private browsing sessions.
The technical implementation flaw stems from the browser's failure to execute proper cleanup routines for IndexedDB storage when private browsing windows close. IndexedDB is a client-side storage mechanism that allows web applications to store significant amounts of structured data, including databases that persist beyond individual page loads. In normal operation, private browsing modes should ensure complete data sanitization upon session termination, but this vulnerability demonstrates a gap in the cleanup process where IndexedDB files remain on disk even after the browsing window has been closed. The issue specifically affects the automatic destruction of temporary IndexedDB resources that are created during private browsing sessions, creating a persistent data footprint that could contain sensitive user information or session data.
The operational impact of this vulnerability extends beyond simple privacy concerns to potentially expose users to data leakage attacks and tracking mechanisms. When IndexedDB files persist after private browsing sessions, they may contain information such as user preferences, session identifiers, cached application data, or other potentially sensitive information that should have been automatically destroyed. This creates a vector for attackers to potentially reconstruct user activities, track browsing patterns, or access previously private information through forensic analysis of the file system. The vulnerability is particularly concerning in environments where users rely on private browsing for sensitive activities or where the browser is used on shared or compromised systems. From an attacker's perspective, this represents a persistence mechanism that violates the fundamental expectation that private browsing sessions provide complete data isolation and sanitization. The vulnerability affects multiple Mozilla products including Firefox, Firefox ESR, and Thunderbird, indicating a widespread implementation issue that requires coordinated patching across these platforms.
Security researchers have classified this issue under privacy violation and data persistence concerns, with potential implications for compliance with privacy regulations and standards. The vulnerability demonstrates a failure in proper resource management and data sanitization, which aligns with common weakness patterns identified in security frameworks. Organizations and users should immediately apply the available patches to address this vulnerability, as the persistence of IndexedDB files creates ongoing risks for user privacy and data security. The fix implemented in versions 126, 115.11, and 115.11 respectively ensures proper cleanup of IndexedDB resources during private browsing session termination, restoring the expected behavior where temporary storage is automatically destroyed upon window closure. This vulnerability serves as a reminder of the critical importance of proper data sanitization in privacy-sensitive contexts and the need for comprehensive testing of cleanup mechanisms in security-sensitive applications.