CVE-2022-29912 Requests initiated through reader mode did not properly omit cookies with a SameSite attribute

If a user had a malicious site set as their preferred email provider through an add-on like Preference synchronizer, and then installed an add-on which had been reported to set cookies with a same-site attribute, an attacker could potentially infer information about the add-on and its usage, potentially leading to further exposure. We encourage users to update their installations of these add-ons to avoid this vulnerability, and recommend that developers of third-party add-ons review their implementation of cookies with a SameSite attribute and update their code to avoid this vulnerability. An update for Thunderbird is now available for Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7, and Red Hat Enterprise Linux 8. This update for Red Hat Enterprise Linux 7 will be released in early November. An update for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 8 is now available. An update for Firefox ESR is now available for Debian 9.0 and Debian 10.0. An update for Firefox is now available for Debian 9.0. In the upcoming weeks, we plan to release an update for Firefox that will be released in Ubuntu 18.04. Users of these operating systems are encouraged to update their installations of Thunderbird and Firefox to receive this update as soon as possible. Interested in red alert? The Pwning the Pwn competition has now begun. If you have used a SameSite cookie to identify add-ons, you can now test if your add-on is vulnerable to this

Overview of CVE-2022-29912

An attacker could potentially infer information about the add-on and its usage, potentially leading to further exposure.

What is a SameSite Cookie?

A SameSite cookie is a type of HTTP cookie that specifies the same-site attribute. This attribute prevents the cookie from being sent to any other website other than the one it was set on.
If an add-on, like Preference synchronizer, had been reported to set cookies with a SameSite attribute, an attacker could potentially infer information about the add-on and its usage, potentially leading to further exposure.

What is a SameSite cookie?

A SameSite cookie is a special type of cookie that is placed on the user's computer when they visit a site with a SameSite attribute. This attribute takes effect when the web browser is configured to send cookies to sites that are deemed "same-site" (i.e., the same domain, port, protocol, and protocol version) as the origin site. These attributes prevent certain types of attacks where cross-site scripting vulnerabilities allow websites to steal information from other websites.
Most browsers today have a default setting for this attribute which blocks third-party cookies from being sent across same-site boundaries, but add-ons can override this for specific domains and hosts by using the SetSameSiteCookie API function in JavaScript. For example, an add-on developer may want to use this function to send cookies from their website only to their website during testing or development without sending it to third parties, but they still want their website's visitors to see third-party advertising, such as sponsored popups or banners that these ads are delivered via "third party" host names like http://www.example.com/ad1.

Timeline

Published on: 12/22/2022 20:15:00 UTC
Last modified on: 01/04/2023 02:42:00 UTC

References

• https://www.mozilla.org/security/advisories/mfsa2022-17/
• https://www.mozilla.org/security/advisories/mfsa2022-16/
• https://bugzilla.mozilla.org/show_bug.cgi?id=1692655
• https://www.mozilla.org/security/advisories/mfsa2022-18/
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-29912