By default, CSS variables are not supported in Firefox. The only way to enable them is to add a userContent preference. This preference is enabled by default. In Thunderbird, enabling userContent also enables CSS variables by default.
In Firefox, userContent is disabled by default. To enable it, visit about:config and search for userContent. Confirm that the value is set to TRUE. Now, to load a CSS file, an attacker could inject the following URL:

https://example.com/css/variable.css

The CSS variable will be resolved and the content of variable.css will be loaded. If the user has enabled userContent and has a history with a variable.css URL, this could be used to track the user and perform click-bait attacks.

UserCSS

Is Made For
Enabling userContent in Firefox and Thunderbird will improve the security of your browsing experience by preventing attackers from loading arbitrary CSS files. In addition, if you have turned off userContent but have a history with a URL to a CSS file, you could use this technique to target specific users.

CVE-2023-29922

A bug in Firefox that can be exploited by malicious websites to execute arbitrary code on a targeted user's computer has been fixed. The vulnerability allows an attacker to exploit vulnerabilities in Mozilla's Firefox browser and take control of the victim's computer.
The vulnerability was originally reported by security firm FireEye, and the attack was demonstrated during BlackHat USA 2015.

UserContent preference

The userContent preference is used to load a CSS file in Thunderbird and Firefox. When an attacker injects the URL to this CSS file, they can track the user. If they have enabled that preference, they will be able to load it when they visit a website with an injected URL.
If the user has enabled userContent, the following site would be loaded:

https://example.com/css/variable.css

If this site is visited by the user, then their browser will automatically load variable.css without them manually loading it.

User-defined CSS

User-defined CSS, also known as userContent.css, is a way of specifying custom CSS to be used in any browser. This particular add-on allows you to specify your own CSS rules and load them on demand.

This type of add-on can be a useful tool for website owners who would like to make sure their users’ browsers are configured with the latest and greatest CSS rules.

CVE-2023-29366

Affected users can be tracked via cookies that are set on the computer of the user. This vulnerability allows an attacker to track a person's browsing habits and social media profiles, which could lead to identity theft.
The vulnerability is found in the way Firefox handles cookies with multiple domains by default. It allows an attacker to create a cookie for example.com and then load it up from a different website at example.net, thus tricking the browser into thinking they're using one cookie when they're not. With this information, an attacker can track users across multiple websites without their knowledge, allowing them to steal sensitive data or manipulate their social media profiles.
To fix this issue, visit about:config and search for network.cookie.cookieBehavior and change the preference value to "Block".

Timeline

Published on: 12/22/2022 20:15:00 UTC
Last modified on: 12/30/2022 22:13:00 UTC

References