1426315 - Continuous "Send information" messagebox exploit

Status: RESOLVED DUPLICATE of bug 1412559

(Firefox :: Untriaged, defect)

Description

[Mahmoud Jaoune]

Attachment: ffxbug.png

User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Build ID: 20171206182557

Steps to reproduce:

A popup ad kept used Javascript to detect mouse movement, and whenever the mouse moves, a message asking the user to "Resend" information appears, which makes the whole tab and session not able to be closed unless killing the whole Firefox task.

Using Firefox v57.0.2

An example of such websites that exploit this: http://protecttoolext.com/ff/?_subid=34o07pd46eagdrang2j&_token=uuid_34o07pd46eagdrang2j_34o07pd46eagdrang2j5a39f3545c9884.47965091


Actual results:

The "Resend" information message kept being shown even when clicking "Cancel" or using the ESC button to exit it, the Close button to close Firefox is not available. Eventually had to use Task Manager on Microsoft Windows 7 to kill Firefox, then ran Firefox again.


Expected results:

Such websites must not be able to send information if the user didn't allow it the first time.

Suggestion: Add the option "Never for this site" on the "Resend" information messagebox.

Comment 1

[Daniel Veditz [:dveditz]]

This has been recently fixed (or de-fanged, at least) in bug 1412559. The dialog loop still happens but the resend confirmation is now "tab modal" instead of application modal so it's easy to close the malicious tab. This isn't the last "application modal" dialog in Firefox and these malicious sites will soon move on to new tricks, but we're working on similar fixes elsewhere.