The TBP extension to Mozilla Firefox contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a new tab is created and a URL is typed directly into the address bar. This tab will incorrectly inherit the URL of the previous tab as an HTTP referrer, even if there was no direct link to the new URL. This will disclose a user's previous browsing information which may include private web space, session information, or login/password information if contained in the referring URL.

Upgrade to version 0.6.8 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround: disable the TBP extension.

• Vendor Specific Advisory URL: http://bugzilla.mozilla.org/show_bug.cgi?id=252410
• Vendor URL: http://www.pryan.org/mozilla/site/TheOneKEA/tabprefs/

• security curmudgeon - attrition.org

NVD does not currently have a CVSSv2 score assigned.