CVE-2016-2832
Description
Firefox before 47.0 leaks the list of disabled plugins to remote attackers via CSS pseudo-classes, enabling fingerprinting.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Firefox before 47.0 leaks the list of disabled plugins to remote attackers via CSS pseudo-classes, enabling fingerprinting.
Vulnerability
In Mozilla Firefox versions prior to 47.0, the CSS pseudo-class :-moz-handler-disabled (and related pseudo-classes) can be used by web content to determine whether a specific plugin is installed but disabled [2][3]. This allows a remote attacker to enumerate the complete list of plugins on a user's system, even those that are disabled. The vulnerability resides in the CSS parsing and computation engine, where the state of plugins is exposed through CSS selector matching.
Exploitation
An attacker can exploit this vulnerability by crafting a malicious webpage that includes CSS rules targeting the :-moz-handler-disabled pseudo-class for various known plugin identifiers. When a user visits the page, the browser evaluates the CSS selectors and reveals which plugins are present but disabled. No authentication or special privileges are required; the attacker only needs to lure the user to the crafted page.
Impact
Successful exploitation results in information disclosure: the attacker learns the set of plugins installed on the victim's system, including those that are disabled. This information can be used for browser fingerprinting and to tailor further attacks based on the known plugin set.
Mitigation
The vulnerability is fixed in Firefox 47.0, released on June 7, 2016 [3]. Users should update to Firefox 47 or later. No workaround is available for earlier versions. The issue is not known to be exploited in the wild and is not listed on the CISA Known Exploited Vulnerabilities catalog.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
11cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*range: <=46.0.1
- (no CPE)range: <47.0
cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*+ 3 more
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
- osv-coords2 versionspkg:rpm/opensuse/firefox-esr&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/MozillaFirefox&distro=openSUSE%20Tumbleweed
< 128.5.1-1.1+ 1 more
- (no CPE)range: < 128.5.1-1.1
- (no CPE)range: < 50.1.0-1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- www.mozilla.org/security/announce/2016/mfsa2016-59.htmlnvdVendor Advisory
- lists.opensuse.org/opensuse-security-announce/2016-06/msg00014.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2016-06/msg00016.htmlnvd
- www.securitytracker.com/id/1036057nvd
- www.ubuntu.com/usn/USN-2993-1nvd
- bugzilla.mozilla.org/show_bug.cginvd
News mentions
0No linked articles in our index yet.