Closed Bug 1431265 Opened 7 years ago Closed 7 years ago

Firefox allows website to control navigation keys and pop-up window spamming

Categories

(Firefox :: Untriaged, defect)

Product:
Firefox
Component:
Untriaged
Version:
57 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1412559

People

(Reporter: marada976, Unassigned)

Details

Attachments

(1 file)

website-code-incomplete.zip
94.72 KB, application/zip
Details
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 Build ID: 20180106232447 Steps to reproduce: Visit following website: http://defenderadblockerext.xyz/ff/?_subid=1q5j8d81a2lprg0kcdbn&_token=uuid_1q5j8d81a2lprg0kcdbn_1q5j8d81a2lprg0kcdbn5a5fcfe38f1672.03479237 Please do not report this site as malicious before you make sure to save entire side code as I would like to resolve the issue generally rather than just block a single website using this vulnerability. Actual results: 1. Clicking the right mouse button causes full screen mode instead of firefox menu. 2. Pop-up window with information about resending data called by javascripts in malicious way blocking any browser action. https://youtu.be/H-oEebd-6QA Expected results: 1. Right mouse clicking should always open firefox menu, regardless of the website content. 2. The pop-up message should either: - be opened in an internal browser window to avoid disabling any other actions like closing the tab, - include "do not ask again" box to avoid abuse, - not being allowed to call with javascripts.
(In reply to Marcin from comment #0) > Created attachment 8943444 [details] > website-code-incomplete.zip > > User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 > Firefox/57.0 > Build ID: 20180106232447 > > Steps to reproduce: > > Visit following website: > http://defenderadblockerext.xyz/ff/ > ?_subid=1q5j8d81a2lprg0kcdbn&_token=uuid_1q5j8d81a2lprg0kcdbn_1q5j8d81a2lprg0 > kcdbn5a5fcfe38f1672.03479237 > Please do not report this site as malicious before you make sure to save > entire side code as I would like to resolve the issue generally rather than > just block a single website using this vulnerability. > > > Actual results: > > 1. Clicking the right mouse button causes full screen mode instead of > firefox menu. This is https://bugzilla.mozilla.org/show_bug.cgi?id=1428913 > 2. Pop-up window with information about resending data called by javascripts > in malicious way blocking any browser action. > https://youtu.be/H-oEebd-6QA This is https://bugzilla.mozilla.org/show_bug.cgi?id=1412559, already fixed in Firefox 58 (released next week).
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: