A security update to the Browser Agent will detect
file:// URI schemes and stop any further execution and data collection if found.
Release date: March 9th, 2021
Vulnerability identifier: NR21-01
The following New Relic agent versions are affected:
Browsers can render local files on a host machine by using the
file:// URI scheme outlined in RFC 8089. During the agent's harvest cycle , this
file:// URI will be recorded as the pageURL datapoint. This may result in the collection of potentially sensitive data included in the local file path, such as directory path for the saved webpage and any name or company information in the directory path. More information regarding the
file:// URI can be found in the RFC 8089
A person must both download a webpage with the Browser agent configured and open the file in a browser. HTML files loaded without the
file:// URI scheme are not affected.
New Relic is committed to the security of our customers and your data. If you believe you have found a security vulnerability in one of our products or websites, we welcome and greatly appreciate you reporting it to New Relic's coordinated disclosure program. For more information, see our documentation about reporting security vulnerabilities.