VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 31, 2004· Updated Apr 16, 2026

CVE-2004-2657

CVE-2004-2657

Description

Firefox retains the list of 'Passwords Never Saved' sites after uninstallation, exposing user browsing history to other local users on shared Windows profiles.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Firefox retains the list of 'Passwords Never Saved' sites after uninstallation, exposing user browsing history to other local users on shared Windows profiles.

Vulnerability

Mozilla Firefox 1.5.0.1 and possibly other versions stores the list of websites for which the user selected "Never Save Password" in the user profile. When Firefox is uninstalled, this profile data is not removed. If a new installation of Firefox is performed on the same Windows user account, the previously stored list of "Never Save" sites is still present and accessible via the Password Manager [1]. The vendor disputed the severity, stating that the uninstaller is intended to remove the application, not user data [1].

Exploitation

An attacker requires local access to the same Windows user account (shared profile) that was used by the victim. The victim must have used Firefox and chosen "Never Save Password" for certain websites. After the victim uninstalls Firefox, the attacker installs a new copy of Firefox on the same Windows account. Opening the Password Manager reveals the list of sites for which the victim had previously selected "Never Save" [1]. No authentication or special privileges are needed beyond local access to the user account.

Impact

The attacker gains knowledge of the specific websites the victim visited and chose not to save passwords for, potentially revealing sensitive browsing habits (e.g., dating sites, adult content). This is a privacy disclosure that can lead to personal or relationship consequences, as reported in the bug [1]. No code execution, privilege escalation, or data modification occurs.

Mitigation

The vendor closed the related bug as WONTFIX, arguing that the uninstaller is not responsible for removing user data [2]. No official patch was released. Users can manually delete the Firefox profile directory (e.g., %APPDATA%\Mozilla\Firefox\Profiles\) before uninstalling or after a fresh installation to prevent exposure [2]. Using separate Windows user accounts does not mitigate the issue if the same profile directory is reused [1].

References
  1. 330884 - When different users on one system choose to save or not save passwords for sites, any other user can see sites they not only saved passwords for but can also see what other users have been saving/never saving passwords for.
  2. 234680 - Uninstall should give the option to remove profile data

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Mozilla Corporation/Firefox2 versions
    cpe:2.3:a:mozilla:firefox:1.5.0.1:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:mozilla:firefox:1.5.0.1:*:*:*:*:*:*:*
    • (no CPE)range: =1.5.0.1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Firefox's uninstaller does not remove user profile data, and the Password Manager's "Passwords Never Saved" list is stored in the shared profile without per-Windows-user isolation."

Attack vector

A local attacker who shares a Windows machine with another user can view the "Passwords Never Saved" list after a new installation of Firefox if the previous installation's profile data was not fully removed. The attacker simply opens Firefox, navigates to Tools > Options > Passwords > View Saved Passwords, and clicks the "Passwords Never Saved" tab to see all sites the previous user chose never to save passwords for [ref_id=1]. No authentication or special privileges are required beyond access to the same Windows user profile or a profile that inherits leftover data from a prior installation.

Affected code

The bug report identifies the Password Manager (Toolkit :: Password Manager) as the affected component. The "Passwords Never Saved" list is stored in the user profile and is not cleared during uninstallation, nor is it separated per Windows user account when profiles are shared.

What the fix does

No patch is provided in the bundle. The vendor disputed the issue, stating that the uninstaller is intended to remove the application, not user data, and that profile separation is a feature, not a flaw [ref_id=1]. The bug was marked as a duplicate of bug 234680 and closed as RESOLVED DUPLICATE. The advisory's implicit remediation is that users who require privacy should ensure Firefox profiles are not shared between Windows accounts and should manually delete profile data before uninstalling.

Preconditions

  • authAttacker must have local access to a Windows machine that previously had Firefox installed under a different user's account or shared profile.
  • configThe previous Firefox installation's profile data (including the 'Passwords Never Saved' list) must not have been manually deleted before the new installation.
  • inputThe attacker installs Firefox (or uses an existing installation) on the same Windows machine, which may detect and reuse the leftover profile.

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.