[tbb-bugs] #13027 [Tor Browser]: Ensure WebWorkers see spoofed navigator.* values

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Sep 2 09:53:43 UTC 2014

#13027: Ensure WebWorkers see spoofed navigator.* values
     Reporter:           |      Owner:  tbb-team
  mikeperry              |     Status:  new
         Type:  defect   |  Milestone:
     Priority:  major    |    Version:
    Component:  Tor      |   Keywords:  ff31-esr, tbb-easy, tbb-testcase,
  Browser                |  tbb-fingerprinting, TorBrowserTeam201409Easy
   Resolution:           |  Parent ID:
Actual Points:           |
       Points:           |

Comment (by gacar):

 It seems there's a problem here:  WebWorker side has access to unspoofed
 values of `appVersion` and `platform`. I tested with the attached html +
 js on both 32bit and 64bit Linux.

 platform (32bit Linux) = Linux i686  (should be Win32)
 platform (64bit Linux) = Linux x86_64  (should be Win32)
 appVersion = 5.0 (X11) - (should be 5.0 (Windows))

 There are only four properties available in navigator object on the worker
 side and two of them (`userAgent` and `appName`) match the spoofed values.

 It suspect the sweetspot is `Create` method in
 `dom/workers/Navigator.cpp`(1), which calls `STRING_TO_JSVAL`(2) to
 populate navigator properties:
 1: https://mxr.mozilla.org/mozilla-
 2: https://mxr.mozilla.org/mozilla-esr24/source/js/public/Value.h#1778

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13027#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list