Closed
Bug 1457091
Opened 7 years ago
Closed 7 years ago
Popunder restriction bypass with keydown and keypress event
Categories
(Firefox :: Untriaged, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: deepakdas288, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Build ID: 20171024165158
Steps to reproduce:
Steps to reproduce the problem:
1. Navigate to https://vulnerabledoma.in/popunder/keyevent.html . In this page, two key event listeners are set:
onkeydown=function(){
window.open('//example.com/','_blank','a');
}
onkeypress=function(){
window.open('about:blank','_blank').close();
}
2. Press any key.
3. A popunder window is opened.
Actual results:
opoup opened
Expected results:
The popunder window should not be opened.
|
||
Comment 1•7 years ago
|
||
I'm unable to reproduce this on 61 nightly, are you able to reproduce this on either nightly or the latest release?
Flags: needinfo?(deepakdas288)
|
||
Comment 2•7 years ago
|
||
I can't reproduce with ESR-52 either -- the popups are caught by the popup blocker. When I whitelist the attack site I get popups, but not pop-unders.
|
Reporter | |
Comment 3•7 years ago
|
||
i am able to reproduce in 56.0.2 (64-bit)
Flags: needinfo?(deepakdas288)
|
|
||
Comment 4•7 years ago
|
||
Did you try with a more recent release?
|
|
Reporter | |
Comment 5•7 years ago
|
||
No
|
|
||
Comment 6•7 years ago
|
||
Could you please see if you can reproduce with a newer releases; Firefox 56 is no longer supported.
|
|
Reporter | |
Comment 7•7 years ago
|
||
I just checked it's blocking by popup whitelist
|
|
||
Updated•7 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → WORKSFORME
|
|
||
Updated•6 years ago
|
Group: firefox-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•