Closed Bug 115823 Opened 23 years ago Closed 23 years ago

JavaScript vulnerability allows browser to be closed without prompt

Categories

(Core :: Security, defect)

x86
All
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 32571

People

(Reporter: gwagner, Assigned: security-bugs)

References

()

Details

From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; T312461)
BuildID:    Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.6+) 
Gecko/20011217

The following code allows the main parent browser window to be closed without 
the user being prompted, even if the main parent browser window has history. 
Under normal circumstances, JavaScript can't close the main parent browser 
window without the user being prompted (as long as the window has history). The 
code below that allows this should be trapped and Netscape should prevent this 
from occurring since it would allow sites to mess with the user's browser.

<html><head>
<title>SBB AE 7/14</title>
<script language="JavaScript" type="text/javascript">

if(window.name!='VW'){
window.opener=self; // for at undgå advarslen "Vil du lukke vinduet?"
newwin=window.open(self.location,'VW','menubar=no,'
 +'resizable=no,status=no,scrollbars=no');
window.close(); // lukker det oprindelige vindue
}

</script>
<script language="JavaScript" type="text/javascript">

<!--
function closeWindow(){
setTimeout('close()', 30000);//lukker vinduet efter 30 sekunder
}
//-->

</script>
<style type="text/css">
body    {background-image: url(ae714.jpg)}
h2      {color: red; position: absolute; top: 300px; left: 205px}
</style>
</head><body onload="closeWindow(); window.resizeTo(536,361),moveTo(200,200)">
<h2>SBB Ae 7/14 - Schwitzerland</h2>
</body></html>

Reproducible: Always
Steps to Reproduce:
1. copy and paste the above code into a new HTML document
2. visit several pages to create history
3. visit the page you created in step 1.

Actual Results:  A new window is opened and the main browser window opened by 
the user is closed without the user being prompted. This results in the user 
being left with a small window with no chrome, and no way to navigate away from 
the page/image forced by the website. The user has no choice but to close this 
window manually and open a new browser window to continue surfing.

Expected Results:  The user should be prompted whether they want to close the 
window they opened manually as long as that window has history.

If you perform the same steps in Netscape 4.78, you are prompted whether you 
want to close the browser window you opened and were using to browse (although 
it is still resized).
Keywords: 4xp
OS: Windows 2000 → All
Status: UNCONFIRMED → NEW
Ever confirmed: true

*** This bug has been marked as a duplicate of 32571 ***
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.