In a post on the Mozilla Security blog, Michael Coates, Director of Security Assurance for Mozilla, advises that a new security vulnerability has been found in the recently-released Firefox 16.0. The threat, apparently, is that details of your browsing history could be disclosed.
The vulnerability could allow a malicious site to potentially determine which websites users have visited and have access to the URL or URL parameters. At this time we have no indication that this vulnerability is currently being exploited in the wild.
In addition to identifying the sites the user has visited, there is a potential risk of disclosure of confidential information, if the site returns data to the server as parameters in the URL. (Typically, these will appear after a ‘?’ in the URL, like this:
Mr. Coates’s post suggests that users could revert to the previous Firefox version, 15.0.1. I think this is probably unnecessary for most people, if a fix is available today. If you have already updated to version 16.0 (see Help / About Firefox), I think the risk of waiting a few hours for a patch is small; also, version 16.0 did fix a number of other vulnerabilities, some more serious than this one.
Mozilla has temporarily pulled version 16.0 from the automatic download page(s), although it is still available elsewhere on the Mozilla site. They expect to release a fix today, Thursday, October 11. I’ll post another note here when the fix is available.
Update Thursday, October 11, 14:45 EDT
Mozilla has released an updated version 16.0.1 for Android (on Google Play) that fixes this vulnerability, and it appears that they are in the process of releasing the updated version for desktop systems. I’ll do my best to stay on top of this.
Update Thursday, October 11, 15:00 EDT
Firefox 16.0.1, which fixes this vulnerability, is now available from Mozilla’s download page; updated Release Notes are also available.