Bug#721689: iceweasel: Iceweasel fetches and runs software from mozilla.org without user permission

Andrew Varner av338 at avarner.org
Tue Sep 3 04:46:48 UTC 2013 

Package: iceweasel
Version: 17.0.8esr-1~deb7u1
Severity: normal

Dear Maintainer,

On startup, iceweasel by default loads a home page that fetches remote javascript from Mozilla's servers, which can't be guaranteed to not contain proprietary software.

The code is in <chrome://browser/content/abouthome/aboutHome.js>. Simplified, it looks like this:


let updateURL = localStorage["snippets-update-url"];
//the URL is:   https://snippets.mozilla.com/3/Iceweasel/17.0.8/20130806234539/Linux_x86_64-gcc3/en-US/default/Linux%203.2.0-4-amd64%20(GTK%202.24.10)/default/default/

let xhr = new XMLHttpRequest();
xhr.open("GET", updateURL, true);

//later, when complete:
localStorage["snippets"] = xhr.responseText;
let snippetsElt = document.getElementById("snippets");
let snippets = localStorage["snippets"];
snippetsElt.innerHTML = snippets;



2 possible solutions:

Remove the "snippets" code from /content/browser/abouthome/aboutHome.js from /usr/share/iceweasel/chrome/browser.jar

Or, preferably, disable javascript by default. In /etc/iceweasel/profile/prefs.js add a new line:

user_pref("javascript.enabled", false);


Workaround (untested):

The first time you run Iceweasel, use this commandline:

iceweasel about:blank

Then, either disable javascript in the preferences, or set your homepage to about:blank


Contrary to the bug filing instructions, I have not filed this bug with Mozilla upstream. I don't think they really take software freedom seriously enough (especially in the context of javascript on the web) that they would consider fixing this.

When producing the bug, I ran with a brand-new profile, in safe mode.


-- Package-specific info:

-- Extensions information
Name: Adblock Plus
Location: /usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
Package: xul-ext-adblock-plus
Status: enabled

Name: Default theme
Location: /usr/lib/iceweasel/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}
Package: iceweasel
Status: enabled

Name: NoScript
Location: /usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/{73a6fe31-595d-460b-a920-fcc0f8843232}
Package: xul-ext-noscript
Status: enabled

Name: RefControl
Location: ${PROFILE_EXTENSIONS}/{455D905A-D37C-4643-A9E2-F6FEFAA0424A}.xpi
Status: enabled

Name: Status-4-Evar
Location: /usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/status4evar at caligonstudios.com
Package: xul-ext-status4evar
Status: enabled

-- Plugins information
Name: Gnome Shell Integration
Location: /usr/lib/mozilla/plugins/libgnome-shell-browser-plugin.so
Package: gnome-shell
Status: enabled


-- Addons package information
ii  gnome-shell    3.4.2-7      amd64        graphical shell for the GNOME des
ii  iceweasel      17.0.8esr-1~ amd64        Web browser based on Firefox
ii  xul-ext-adbloc 2.1-1+deb7u1 all          Advertisement blocking extension 
ii  xul-ext-noscri 2.1.4-1      all          Javascript/plugins permissions ma
ii  xul-ext-status 0.2012.04.21 all          Status bar widgets and progress i

-- System Information:
Debian Release: 7.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages iceweasel depends on:
ii  debianutils         4.3.2
ii  fontconfig          2.9.0-7.1
ii  libc6               2.13-38
ii  libgdk-pixbuf2.0-0  2.26.1-1
ii  libglib2.0-0        2.33.12+really2.32.4-5
ii  libgtk2.0-0         2.24.10-2
ii  libnspr4            2:4.9.2-1
ii  libnspr4-0d         2:4.9.2-1
ii  libsqlite3-0        3.7.13-1+deb7u1
ii  libstdc++6          4.7.2-5
ii  procps              1:3.3.3-3
ii  xulrunner-17.0      17.0.8esr-1~deb7u1

iceweasel recommends no packages.

Versions of packages iceweasel suggests:
pn  fonts-stix | otf-stix  <none>
ii  libgssapi-krb5-2       1.10.1+dfsg-5+deb7u1
pn  mozplugger             <none>

Versions of packages xulrunner-17.0 depends on:
ii  libasound2                1.0.25-4
ii  libatk1.0-0               2.4.0-2
ii  libbz2-1.0                1.0.6-4
ii  libc6                     2.13-38
ii  libcairo2                 1.12.2-3
ii  libdbus-1-3               1.6.8-1+deb7u1
ii  libdbus-glib-1-2          0.100.2-1
ii  libevent-2.0-5            2.0.19-stable-3
ii  libfontconfig1            2.9.0-7.1
ii  libfreetype6              2.4.9-1.1
ii  libgcc1                   1:4.7.2-5
ii  libgdk-pixbuf2.0-0        2.26.1-1
ii  libglib2.0-0              2.33.12+really2.32.4-5
ii  libgtk2.0-0               2.24.10-2
ii  libhunspell-1.3-0         1.3.2-4
ii  libjpeg8                  8d-1
ii  libmozjs17d               17.0.8esr-1~deb7u1
ii  libnspr4                  2:4.9.2-1
ii  libnss3                   2:3.14.3-1
ii  libnss3-1d                2:3.14.3-1
ii  libpango1.0-0             1.30.0-1
ii  libpixman-1-0             0.26.0-4
ii  libsqlite3-0              3.7.13-1+deb7u1
ii  libstartup-notification0  0.12-1
ii  libstdc++6                4.7.2-5
ii  libvpx1                   1.1.0-1
ii  libx11-6                  2:1.5.0-1+deb7u1
ii  libxext6                  2:1.3.1-2+deb7u1
ii  libxrender1               1:0.9.7-1+deb7u1
ii  libxt6                    1:1.1.3-1+deb7u1
ii  zlib1g                    1:1.2.7.dfsg-13

Versions of packages xulrunner-17.0 suggests:
ii  libcanberra0  0.28-6
ii  libgnomeui-0  2.24.5-2

-- no debconf information

More information about the pkg-mozilla-maintainers mailing list