Closed Bug 1354168 Opened 6 years ago Closed 6 years ago

Maximum number of allowed pop-ups can be bypassed

Categories

(Firefox :: Untriaged, defect)

52 Branch
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 675574

People

(Reporter: mail, Unassigned)

References

(Depends on 1 open bug, Blocks 1 open bug)

Details

Attachments

(1 file)

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Firefox/52.0
Build ID: 20170323105023

Steps to reproduce:

The victim has to call JavaScript via a trusted event like a click on a button to show pop-up windows.


Actual results:

In case of a trusted event (e.g., click), we are able to open an arbitrary number of pop-up windows. Though "dom.popup_maximum" (about:config) has a maximum number of 20 pop-up windows, we can for example create 100 pop-up windows and thus flood the browser with an arbitrary number of windows.


Expected results:

There should be only allowed the defined number (20) of windows.
Please note that this could be used by the advertisement industry to bypass the pop-up blocker behavior. Furthermore, an attacker could simply annoy the user (long wait times until the browser responds/ many windows) by flooding his browser with windows (with pop-ups or tabs).
I'm pretty sure we have a dupe on this
Blocks: eviltraps
Group: firefox-core-security
Whiteboard: DUPEME
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
Whiteboard: DUPEME
Duplicate of bug: 675574
You need to log in before you can comment on or make changes to this bug.