Closed Bug 240246 Opened 20 years ago Closed 16 years ago

popup window passed between frames can evade blocker

Categories

(SeaMonkey :: UI Design, defect)

Product:
SeaMonkey
Component:
UI Design
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: danm.moz, Unassigned)

References

(
URL
)

Details

Attachments

(3 files)

frame A
426 bytes, text/html
Details
frame B
278 bytes, text/html
Details
testcase uses the above two frames
827 bytes, text/html
Details 
A window contains at least two frames. At load time one of them (frame B) calls
a function in the parent window which in turn calls a function in a second frame
(frame A) which opens a new window. If frame A happens to finish loading before
frame B, Mozilla doesn't realize the window is still loading, and opens the popup.

In codeish form, the main page looks like this:
<html><head><script>
function startPopup() {
  try { // frameA may not be loaded yet
    frameA.openPopup();
  } catch(e) {
  }
}
</script></head>
<frameset rows="50,50">
  <frame src="frameA.html" name="frameA">
  <frame src="frameB.html">
</frameset>
</html>

frame A contains the openPopup function

<html><head><script>
  function openPopup() {
    // alert if running on local hard drive
    window.open("about:blank", "_blank");
  }
</script></head></html>

frame B starts the load in motion

<html><head><script>
  parent.startPopup();
</script></head></html>

This technique is used, probably accidentally, at www.bonus.com. That site
attempts to open a bunch of popups, some of them "invisible" (though not in
Mozilla) and succeeds in opening one on perhaps every third attempt. The chances
can be raised by inserting more intervening frames between A and B.

An alert inserted in the function in frame A shows the popup every time when
attempting to reproduce from a local hard disk.
Attached file frame A 

    
    

    
  

      
      
      
      

        Attached file
          
        frame B
      

    


  

    
    

    
  


  

    
  
Blocks: popups

    
    

    
  
http://www.designobject.com/main/index.html?product=389 is a similar example. It
does the same thing, but rather than go through a function in the parent window
it calls the other frame's function directly. That is, in its load handler,
frame[3] calls a function in parent.frame[1], which opens a window.

    
    

    
  
This site http://www.sportsline.com/nfl/story/7538370 seems to be using a
similar techinque using setTimeout and an iframe.

    
  
Blocks: pop-up-arms-race

    
  
No longer blocks: popups

    
    

    
  
I too can reproduce this from www.sportsline.com.  I think the offending code is
here:

<br clear="all">
    <iframe src="/blank.html" name="popunder" id="popunder" width="1" height="1"
scrolling="no" frameborder="0"></iframe>
<SCRIPT language='JavaScript'>
var _popTag="";
function createPop() {
    if (IE||DOM) {window.frames.popunder.document.write(_popTag);}
    return;
    }
var _l=2105058073;
var pub_click_url = '';
var _isaclick=1;
var _extra = (pub_click_url == "" ? "" : ( _isaclick ? "&aclick="+pub_click_url
: "&pclick="+pub_click_url));
var _cn = "L"+_l+"=";
var _pop=document.cookie.indexOf(_cn); var _il = 1;
var _tl = 0;
var _ex;
if (_pop >= 0) { _pos=document.cookie.substring(_pop).indexOf(';');
if (_pos >0 ) _val = document.cookie.substring(_pop+_cn.length,_pop+_pos); else
_val = document.cookie.substring(_pop+_cn.length);
if (_val.indexOf('.') > 0 ) { _il = _val.substring(0,_val.indexOf('.'));
_ex = _val.substring(_val.indexOf('.')+1);
_tl = _ex - (new Date()).getTime(); }
if (_tl <= 0) document.cookie=_cn+";path=/;expires="+(new Date((new
Date()).getTime() - 1000000)).toGMTString()+";";  }
if ( _il > 0 || _tl <=0 ) { 
    _popTag="<html><body>"
    + "<sc"+"ript language='javascript'
src='http://adopt.specificclick.net/adopt.sm?l="+_l+"&sz=pop&r=j&pfc=1&rnd="+random+""+_extra+"'>"
    + "</sc"+"ript>"
    + "</body></html>";
    setTimeout("createPop();",2000);
    }
</SCRIPT>

BTW, if I take a local copy of the web page & change the sc"+"ript to script I
can pretty much at will cause the popup to either occur or not occur.  When I
tested this I made sure to delete the cookies after each attempt.  I am no
expert at javascript but is this how it could be evading the popup blocker?

    
  
Group: security

    
    

    
  
Comments 5 and 6 refer to another way to evade our pop-up blocker, bug 253780.

    
    

    
  
Bug was made security confidential because of the script posted in comment 6.
It's more effective than the testcase already in this bug and, by the way,
unrelated to this bug. See comment 7.

    
    

    
  
Clearing confidentiality flag, since evading the popup blocker is not a major
security issue, and methods for such evasion are publically known already anyway.
Group: security
Product: Core → Mozilla Application Suite

    
  
Assignee: danm.moz → nobody

    
    

    
  
Have noticed this behaviour in 1.8b1 - ever since upgrading from 1.7, I get
frequent popunders that aren't blocked.

    
    

    
  
I also encounter in webmail hosted by everyone.net. I think the web ad company
is intentionally using this technique to bypass Firefox/Mozilla popup blocker.

    
    

    
  
I'm pretty sure this issue has been fixed in bug 252326. I can reproduce it in
Mozilla 1.7.3 but not in 1.7.8 or a current trunk build. Dan, please confirm.

rubbish@dr.com: if you have Mozilla 1.7.5/Firefox 1.0 or higher please open a
separate bug on this problem. If not - upgrade your browser.

    
  
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → WORKSFORME

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: