Robin Divino and Dhiraj Mishra have found that the latest Firefox browser, Firefox Quantum, is not adhering to the rel=noreferrer command on HTML tags, thereby leaving users at risk of data leakage when visiting external domains.
The noreferrer command is used to stop the referer header from being passed on to the new domain, preventing the leakage of sensitive data such as password reset tokens and OAuth tokens from the URL.
The bug was fixed by Mozilla, but the duo believe that the original bug could have affected millions of users since Firefox Quantum was released in November 2017.
They recommend that other browsers should also be audited for this problem.