[tor-bugs] #18390 [Tor Browser]: PDF.js triggers canvas fingerprinting warning for some PDFs
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sat Feb 27 21:06:47 UTC 2016
#18390: PDF.js triggers canvas fingerprinting warning for some PDFs
-------------------------+---------------------------
Reporter: xcolour | Owner: tbb-team
Type: defect | Status: closed
Priority: Medium | Milestone:
Component: Tor Browser | Version:
Severity: Normal | Resolution: not a bug
Keywords: | Actual Points:
Parent ID: | Points:
Sponsor: |
-------------------------+---------------------------
Comment (by cypherpunks):
Replying to [comment:3 cypherpunks]:
> How about substituting site-hosted pdf.js with builtin one in an iframe?
This is interesting. Maybe NoScript surrogates would be enough?
Interesting I said, but I actually do not like idea. You would be running
privileged code in an unprivileged context. Need a refresher on privilege
escalation exploits? How about these 2:
https://www.mozilla.org/en-US/security/advisories/mfsa2015-69/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-78/
That's a High and a Critical vuln, according to Mozilla's classification,
in pdf.js in the last what 6-7 months? The second one was found in the
wild:
https://blog.mozilla.org/security/2015/08/06/firefox-exploit-found-in-the-
wild/
I think in Tor Browser we should prefer security over convenience. And
what kind of inconvenience are we talking about here? This is not Tor
Browser outright blocking all canvas code. Is presenting a prompt, in some
accesses, and you could dismiss it as well.
In this case, if you decide to disallow it (the finer choice), what's the
impact? yurydelendik tells us in
https://github.com/mozilla/pdf.js/issues/7026#issuecomment-188802006: "it
will affect the display quality for some old windows machines". Who the
hell cares? :)
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18390#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list