Opened 4 years ago

Closed 4 years ago

#12150 closed defect (duplicate)

Fonts limit bypass with iframes

Reported by: jaedo Owned by: mikeperry
Priority: High Milestone:
Component: Firefox Patch Issues Version:
Severity: Keywords: tbb-fingerprinting
Cc: gk Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

It is possible to bypass max font using iframe (also object/frame i guess),

1st demo shows that each iframe instance has own max_font.
If you create many iframes with less than max_fonts in each, it not reset window.parent fonts.
http://pastebin.com/raw.php?i=MkqVQv8x

2nd, full bruteforce script with 512 fonts array.
It dynamically creates many iframes with N fonts in each.
Each iframe separately executes typical js/css detection mmmmlliii script with a short given set of fonts, and sends offsetWidth/Heights to parent script via postMessage.
Parent script collect all answers and then compare results.
http://pastebin.com/raw.php?i=D8DWb47X

Child Tickets

Change History (3)

comment:1 Changed 4 years ago by jaedo

Keywords: tbb-fingerprinting added

comment:2 Changed 4 years ago by gk

Cc: gk added
Priority: normalmajor

comment:3 Changed 4 years ago by gk

Resolution: duplicate
Status: newclosed

I just realized that this is a duplicate of #5798. See comment 13 there.

Note: See TracTickets for help on using tickets.