https://bugzilla.suse.com/show_bug.cgi?id=1227486 Bug ID: 1227486 Summary: kmozillahelper touching the internet at all seems like a potentially significant security issue Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: el@horse64.org QA Contact: qa-bugs@suse.de Target Milestone: --- Found By: --- Blocker: --- kmozillahelper seems to look up hosts on its own. I noticed this when clicking URLs where often they won't even reach firefox because kmozillahelper already looked them up. I think this is in some environments a significant security problem, since the user expectation is 1. the URL will be handled by their browser and nothing else, 2. firefox supports DNS over TLS so the user may expect their ISP doesn't see what URLs they're clicking, 3. unless kmozillahelper perfectly replicates firefox's entire network stack including reading its settings, that means it may be effectively bypassing all these security settings without user consent and leaking the URLs to the ISP and other parties without a warning. My apologies if I just missed something, but if these observations are correct then I think kmozillahelper as it conceptually seems to work right now is a security hole. It shouldn't touch the internet whatsoever about the URLs, and just hand them off to firefox. -- You are receiving this mail because: You are on the CC list for the bug.