CVE-2007-4879

Mozilla Firefox before Firefox 2.0.0.13, and SeaMonkey before 1.1.9, can automatically install TLS client certificates with minimal user interaction, and automatically sends these certificates when requested, which makes it easier for remote web sites to track user activities across domains by requesting the TLS client certificates from other domains.

• http://0x90.eu/ff_tls_poc.html
• http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00002.html
• http://secunia.com/advisories/29526Vendor Advisory
• http://secunia.com/advisories/29539Vendor Advisory
• http://secunia.com/advisories/29541Vendor Advisory
• http://secunia.com/advisories/29547Vendor Advisory
• http://secunia.com/advisories/29558Vendor Advisory
• http://secunia.com/advisories/29560Vendor Advisory
• http://secunia.com/advisories/29616Vendor Advisory
• http://secunia.com/advisories/29645Vendor Advisory
• http://secunia.com/advisories/30327Vendor Advisory
• http://secunia.com/advisories/30620Vendor Advisory
• http://sunsolve.sun.com/search/document.do?assetkey=1-26-238492-1
• http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0128
• http://www.debian.org/security/2008/dsa-1532
• http://www.debian.org/security/2008/dsa-1534
• http://www.debian.org/security/2008/dsa-1535
• http://www.gentoo.org/security/en/glsa/glsa-200805-18.xml
• http://www.mandriva.com/security/advisories?name=MDVSA-2008:080
• http://www.mozilla.org/security/announce/2008/mfsa2008-17.html
• http://www.securityfocus.com/archive/1/490196/100/0/threaded
• http://www.securityfocus.com/bid/28448
• http://www.securitytracker.com/id?1019704
• http://www.ubuntu.com/usn/usn-592-1
• http://www.us-cert.gov/cas/techalerts/TA08-087A.htmlUS Government Resource
• http://www.vupen.com/english/advisories/2008/0998/referencesVendor Advisory
• http://www.vupen.com/english/advisories/2008/1793/referencesVendor Advisory
• https://bugzilla.mozilla.org/show_bug.cgi?id=395399
• http://0x90.eu/ff_tls_poc.html
• http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00002.html
• http://secunia.com/advisories/29526Vendor Advisory
• http://secunia.com/advisories/29539Vendor Advisory
• http://secunia.com/advisories/29541Vendor Advisory
• http://secunia.com/advisories/29547Vendor Advisory
• http://secunia.com/advisories/29558Vendor Advisory
• http://secunia.com/advisories/29560Vendor Advisory
• http://secunia.com/advisories/29616Vendor Advisory
• http://secunia.com/advisories/29645Vendor Advisory
• http://secunia.com/advisories/30327Vendor Advisory
• http://secunia.com/advisories/30620Vendor Advisory
• http://sunsolve.sun.com/search/document.do?assetkey=1-26-238492-1
• http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0128
• http://www.debian.org/security/2008/dsa-1532
• http://www.debian.org/security/2008/dsa-1534
• http://www.debian.org/security/2008/dsa-1535
• http://www.gentoo.org/security/en/glsa/glsa-200805-18.xml
• http://www.mandriva.com/security/advisories?name=MDVSA-2008:080
• http://www.mozilla.org/security/announce/2008/mfsa2008-17.html
• http://www.securityfocus.com/archive/1/490196/100/0/threaded
• http://www.securityfocus.com/bid/28448
• http://www.securitytracker.com/id?1019704
• http://www.ubuntu.com/usn/usn-592-1
• http://www.us-cert.gov/cas/techalerts/TA08-087A.htmlUS Government Resource
• http://www.vupen.com/english/advisories/2008/0998/referencesVendor Advisory
• http://www.vupen.com/english/advisories/2008/1793/referencesVendor Advisory
• https://bugzilla.mozilla.org/show_bug.cgi?id=395399

Published

Sep 13, 2007

Last Modified

Jun 16, 2026

Status

Modified