Firefox Prefetch

An advisory to Firefox users. Firefox is set by default to allow links to be prefetched. It is a security issue. It is an open doorway for malware.

Link prefetching is a browser mechanism, which utilizes browser idle time to download or prefetch documents that the user might visit in the near future. A web page provides a set of prefetching hints to the browser, and after the browser is finished loading the page, it begins silently prefetching specified documents and stores them in its cache. When the user visits one of the prefetched documents, it can be served up quickly out of the browser’s cache.
To turn it off…

  • New tab, type about:config
  • If you get the warranty void warning, click “ok I’ll be careful”
  • in the Filter field, enter network.prefetch-next
  • If set to false, you’re good, otherwise double-click the config line which will set it to false.

But how nice is Firefox? As long as you have an anti-malware program like ‘Malwarebytes’ it isn’t a big problem. I’ve used firefox for years and the one virus i got, was easily recongnized by my anti-malware and removed. Its great, I never use Internet Explorer anymore. Plus, you can rename it ‘Swiper’ For kicks. Of course you can also rename Internet explorer ‘Dora the internet explorer’ whatever floats your boat. :slight_smile:

Was this ever fixed in any official versions?

I don’t think prefetch (in the way Firefox implements it) can open the door for malware.

From a security standpoint, the worst it can do is allow cookies to be sent by the prefetched domain. It could make things happen on the website’s server, but that’s would related to server vulnerabilities, not vulnerabilities on your computer. Prefetch does not even activate scripts from the prefetched page.

Prefetch will only download the page specified by the current page as the “next” page. For example, Google search result pages sometimes specify the most commonly clicked result as the “next” page.

I’m with Dan on this one. If there’s a real security threat, please point me to the source of that information, someone reporting on it, anything. All I could find from Googling is some other people saying that this could be a security risk. None of them seemed to go any deeper than that. FWIW, it’s apparently enough of a non-issue that a Google search for Firefox prefetch security turns this thread up on the first page. I realize that there may indeed be some risk by keeping leaving it enabled, but until I hear some reputable security firm echo this sentiment, I like my speed surfing enough to leave prefetch turned on.

One reason people may be concerned about the feature is that they make have confused prefetch with what Google Web Accelerator did. Google Web Accelerator would follow every non-https link on a page indicriminately, which caused problems, and it had a few other flaws. Prefetch doesn’t do that.