Navigation Using beforeunload and document.open
Categories
(Core :: DOM: Navigation, defect)
Tracking
()
People
(Reporter: alisyarief.404, Unassigned)
References
Details
(Keywords: reporter-external, Whiteboard: [client-bounty-form])
Attachments
(2 files)
VULNERABILITY DETAILS
Handling of navigation and redirection triggered by the beforeunload event. This vulnerability allows an attacker to prevent users from returning to the previous page and redirect them to a phising site without their knowledge.
beforeunload event signaling to the browser that the user is attempting to leave page.After alert is displayed, the user will be redirected to a different site. However, the actual navigation is handled with document.open(), which replaces current content and does not save navigation history in browser.
When users are redirected, they cannot return to their previous site using back button in the browser, thereby increasing the risk of phishing.
VERSION
OS : macOs Monterey
Firefox Nightly : 133.0a1 (2024-10-13) (64-bit)
REPRODUCTION CASE
- Open before.html
- Click "Activate" button
- After 3 seconds, the user will see an alert and be redirected
|
||
Updated•1 month ago
|
|
|
||
Comment 2•1 month ago
|
||
The navigation does not involve window.open, and there's no real beforeunload event, so it is basically just calling a method directly, so this doesn't really make sense and doesn't seem like an issue. Basically this is just the same as calling window.location.replace("http://127.0.0.1:8883/phising/");.
|
||
Updated•1 month ago
|
|
|
||
Updated•1 month ago
|
Description
•