261057 - adir.dk / hitcount.dk - Clicking anywhere replaces page with blank page

Status: RESOLVED FIXED

(Tech Evangelism Graveyard :: Danish, defect)

Description

[Bo Nygaard Bai]

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040917 Firefox/0.9.3
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040917 Firefox/0.9.3

This page captures mouse clicks on the background. The active region extends to
the scrollbar. This means that clicking the crollbar starts the loading of a
new page. I can't see exactly how this happens, but I get the feeling that appart
from being annoying, it could be exployted to trick people into loading pages
they would not want.

Reproducible: Always
Steps to Reproduce:
1. Load the given URL
2. Click the scroolbar to drag the window.
3.

Actual Results:  
I get a blank page (black in my debian firefox, and white in the nightly build).
The browser icon indicates a page loading. I have not seen a complete page load.


Expected Results:  
Scrolled the contents of the current tab.

Comment 1

[Jesse Ruderman]

Here's what's going on:
1. http://www.adir.dk/extern/temaer/temaferie.htm loads a script from hitcount.dk.
2. The hitcount.dk script sets up an onmousedown handler that's meant to track
which link you click.
3. The onmousedown handler uses "event" as if it were a global variable (which
is true in IE but not in Firefox).  So when it's executed, it generates a JS error.
4. The hitcount.dk script also sets up an onerror handler.
5. The onerror handler uses document.write.
6. Since the page has already finished loading, the document.write creates a new
page instead of adding to the existing one.

In conclusion, the hitcount.dk script is very screwed up.

-> tech evang

Comment 2

[Jesse Ruderman]

This isn't a security hole.  Pages can hide the scrollbar (e.g. by not having
enough content to scroll), so they can spoof it.

Comment 3

[Chris Lawson (gone)]

That site is 404. FIXED by death of testcase.