Steps to reproduce the bug: Demo: https://goo.gl/z20BNH 1)Go to this link and click on "Click me" 2) You'll be redirected to google.com and as soon as you'll be redirected to google.com the Pop-up will appear asking you for the username and password.
The Bug works on all Operating systems: Windows, iOS, Android etc.
Since I can not see the other details I provided.. Here they are: Impact and Description: As soon as the victim will be redirected to google.com the Pop-up will appear asking the victim for the username and password making him believe that it is the 'Trusted' website, ( In this case, it is google.com but it can be literally any website. For instance, Microsoft.com, Gmail.com, Facebook.com, Paypal.com ) which is asking for Username and Password which in real is not. Instead it is the website of the attacker asking for victims details. Possible fix: The browser must update the address bar and hide the original document before showing the prompt.
Are you reporting a vulnerability in a website or in firefox?
Please look for duplicates when filing bugs, especially when filing bugs that are published on public websites like lcamtuf.coredump.cx . This is a well-known issue.