Closed Bug 270867 Opened 20 years ago Closed 17 years ago

popup blocker fails to block popup (PayPopup.com)

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 212163

People

(Reporter: maacruz, Unassigned)

References

(
URL
)

Details

Attachments

(2 files)

testcase: click on the page to cause a popup.
466 bytes, text/html
Details
Javascript sent from paypopup.com
1.91 KB, text/plain
Details 
User-Agent:       Mozilla/5.0 (compatible; Konqueror/3.2) (KHTML, like Gecko)
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041109 Firefox/1.0

When the page at http://ngemu.com/ starts, the popup is catched, but if you 
click on one of the console's links, a popup opens. 
Tested with mozilla 1.6 too. 

Reproducible: Always
Steps to Reproduce:
1.Open http://ngemu.com/ with firefox 
2.Once the page is loaded (popup has been blocked), click on a console link 
(i.e. dreamcast) 
3.Popup will open at the right lower corner of the screen 
 
Actual Results:  
Popup opens 

Expected Results:  
Popup blocked 

Javascript code in the page: 
 
<script language="JavaScript"> 
 function Fullsize(adress, iwidth, iheight) { 
    var newurl = '' + adress; 
    var params = 'toolbars=0, scrollbars=0, location=0, statusbars=0, ' + 
                 'width=' + iwidth+ ', height=' + iheight 
                 + ' menubars=0, resizable=0, left=0, top=0'; 
    newwindow=window.open(newurl, 'fullimg', params); 
 } 
//--> 
</script> 
 
<SCRIPT LANGUAGE="JavaScript" TYPE="text/javascript"> 
       <!-- 
       function getto(form, i) { 
       var site = form.elements[i].selectedIndex; 
             if ( site >= 0 ) { 
          top.location = 
form.elements[i].options[site].value; 
          } 
       } 
       // --> 
          </SCRIPT> 
<!-- PayPopup.com Popup Blocker Detector Begin --> 
<script> 
var PB = false; 
function failed() {PB=true;} 
var firstPop = 
window.open("about:blank","paypopuptest","width=1,height=1,left=5000,top=5000",true); 
window.onerror=failed 
var secondPop = window.open("about:blank","paypopuptest","width=1,height=1"); 
if(firstPop == secondPop) PB=false; 
else PB=true; 
firstPop.blur(); 
firstPop.close(); 
window.onerror=null; 
 
</script> 
<!-- PayPopup.com Popup Blocker Detector End --> 
<!-- PayPopup.com Advertising Code Begin --> 
<script language="JavaScript">  
var paypopup_clicked = false; 
function gopaypopup(){ 
 if(paypopup_clicked==false){ 
  paypopup_clicked=true; 
  paypopup(); 
 } 
} 
 
if (PB) { 
 //Pop-Under Code Here 
 document.write('<SCRI'+'PT LANGUAGE="JavaScript1.1" ');  
 document.write(' 
SRC="http://www.PayPopup.com/popup.php?id=Bobbi&pop=enter&t=5&subid=7130">');  
 document.write('</SCR'+'IPT>');  
 //Pop-Under Code End 
 dl = document.links; 
 for (i=0; i< dl.length; i++) { 
  if (dl[i].onclick==null && dl[i].target==""){ dl[i].onclick = 
gopaypopup; } 
 } 
}else{ 
 //Pop-Under Code Here 
  document.write('<SCRI'+'PT LANGUAGE="JavaScript1.1" ');  
  document.write(' 
SRC="http://www.PayPopup.com/popup.php?id=Bobbi&pop=enter&t=5&subid=7130">');  
  document.write('</SCR'+'IPT>');  
  //Pop-Under Code End 
} 
</SCRIPT> 
<!-- PayPopup.com Advertising Code End --> 
 
 
Popup code: 
<HTML> 
<HEAD> 
<TITLE>Advertising_Loading_Window...</TITLE> 
<script language="JavaScript"> 
<!-- 
GoHideMe(); 
function gopopup(){ 
   delCookie(); 
   var popURL= 
"http://www1.paypopup.com/links.php?id=Bobbi&pk=&subid=7130&tid=w3119u251751&ref=aHR0cDovL25nZW11LmNvbS9nYmEv&pip=&ip=&22222=1"; 
   self.location = popURL; 
self.blur(); 
} 
function GoHideMe(){ 
        self.blur(); 
        self.moveTo(10000,10000); 
        self.resizeTo(1,1); 
        self.blur(); 
  if (navigator.appName=="Netscape") { 
if(window.opener){ 
window.opener.focus(); 
} 
} 
} 
function delCookie(){ 
        document.cookie="active=0;"; 
} 
function ReadCookie(cookieName) { 
 var theCookie=""+document.cookie; 
 var ind=theCookie.indexOf(cookieName); 
 if (ind==-1 || cookieName=="") return ""; 
 var ind1=theCookie.indexOf(';',ind); 
 if (ind1==-1) ind1=theCookie.length; 
 return unescape(theCookie.substring(ind+cookieName.length+1,ind1)); 
} 
//close the window 
if (ReadCookie("popupnum") > 4 || ReadCookie("active") == 1 ){ 
  self.close(); 
} 
document.cookie = "active=1"; 
//read the popup cookie 
var popupnum = ReadCookie("popupnum"); 
if (popupnum == ""){ 
    document.cookie = "popupnum=1"; 
} 
window.setTimeout("gopopup();", 5000); 
// --> 
</script> 
</HEAD> 
<BODY onFocus="GoHideMe();" BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" 
VLINK="#800080"  onUnload="delCookie();"> 
<small>Advertising Loading Window, Powered by <a href="http://paypopup.com" 
target=_blank>paypopup.com</a></small><br> 
<img 
src="http://test.yesadvertising.com/links.php?aid=12&pid=1005&cid=1308&lid=1" 
width=1 height=1> 
</BODY> 
</HTML>
just tried this... popup gets closed. I'm using Firefox 1.0 on windows.
You can safely close this bug.
(In reply to comment #1)
> just tried this... popup gets closed. I'm using Firefox 1.0 on windows.
> You can safely close this bug.

sorry i was wrong, it actually took some time for the popup to open, so i didn't
notice it.

I think there should be a unique bugreport for all the problems with popup
blocking not working, so maybe this should be merged with #253831
I've been using Firefox for about 2 months now, without any sign of popups till
3 days ago.  It doesn't matter what site I go to, same behavior : page opens
fine, sometimes with a notice that popup was blocked; but, for at least the
first click, on any console/banner links, a popup occurs.  I don't know how to
look at the popup's source (CNTL-U doesn't work), but I suspect that the problem
is a hiole in firefox code, exploited by client side code.  The primary reason
for this is that these popups are occuring from my own web site, but only when
using one of my PCs, an XP, running SP2.  My daughter indiscrimanently surfs the
web, and my step son openly accesses sex sites (he's moving out soon for it
too), so perhaps they are picking up spyware that exploits a weakness in firefox
code.  Are there any Windows firewall settings that I should check?
this bug also happens with mozilla suite runnig in linux.

steps to reproduce:

1- in a recent linux distro, download latest nightly build (i'm using Mozilla
1.8a6 Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8a6) Gecko/20050101)

2- access http://www.animetorrents.com. two popups will be blocked, one ath the
begging other at the end of the loading proccess.

3- keep open some task/window list (in windowmaker click with the midle button
in an empty desktop space, in KDE/Gnome keep an eye in the task bar) and click
in "Bittorrent Downloads"

4- a very small window will apear at the lower left side of the desktop, then
grow to fill the screen.

software used:

- Debian GNU/linux unstable (SID)
- Windowmaker 0.9.1
- Mozilla suite - Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8a6) Gecko/20050101

Javascript found in http://www.animetorrents.com:

at the begining of the page:

<!-- PayPopup.com Popup Blocker Detector Begin -->
<script>
var PB = false;
function failed() {PB=true;}

var firstPop =
window.open("","paypopuptest","width=1,height=1,left=5000,top=5000",true);
window.onerror=failed
var secondPop = window.open("","paypopuptest","width=1,height=1");
if(firstPop == secondPop) PB=false;
else PB=true;
firstPop.blur(); 
firstPop.close(); 
window.onerror=null;
</script>
<!-- PayPopup.com Popup Blocker Detector End -->

At the end of the page:
<!-- PayPopup.com Advertising Code End -->
<SCRIPT LANGUAGE="JavaScript1.1">
var paypopup_clicked = false;
function gopaypopup(){
	if(paypopup_clicked==false){
		paypopup_clicked=true;
		paypopup();
	}
}

if (PB) {
	//Pop-Under Code Here
	document.write('<SCRI'+'PT LANGUAGE="JavaScript1.1" '); 
	document.write('
SRC="http://www.PayPopup.com/popup.php?id=Sarke&pop=enter&t=5&subid=8214">'); 
	document.write('</SCR'+'IPT>'); 
	//Pop-Under Code End
	dl = document.links;
	for (i=0; i< dl.length; i++) {
		if (dl[i].onclick==null && dl[i].target==""){ dl[i].onclick = gopaypopup; }
	}
}else{
	//Pop-Under Code Here
		document.write('<SCRI'+'PT LANGUAGE="JavaScript1.1" '); 
		document.write('
SRC="http://www.PayPopup.com/popup.php?id=Sarke&pop=enter&t=5&subid=8214">'); 
		document.write('</SCR'+'IPT>'); 
		//Pop-Under Code End
}
</script>
<!-- PayPopup.com Advertising Code End -->


I'm not a javascript expert, but i believe the mangled '<SCRI'+'PT
LANGUAGE="JavaScript1.1" ' is used to load
http://www2.paypopup.com/popup.php?id=Sarke&pop=enter&t=5&subid=8214&blk=1 wich
then does the "magic", so i believe the later URL should be checked, specially
this part wich I believe is the one that intercepts mouse clicks on links:

function paypopup(){
        if (!poped) {
                if(!usingXPSP2) {
                       
popwin=window.open(paypopupURL,'Ads1104679600','scrollbars=1,resizable=1,menubar=1,location=1,top=10000,left=10000,width=1,height=1');
                        var
popV2="scrollbars=1,resizable=1,menubar=1,location=1,top=10000,left=10000,width=1,height=1";
                                                if(!popwin) {
                                window.showModelessDialog("javascript:function
er(){return true;} window.onerror = er; function
p(){setTimeout(\"window.open('"+paypopupURL+"','1104679600', '"+popV2+"', true);
self.close();\",100);} p();","","dialogtop=2999; dialogleft=2999;
dialogheight:0px; dialogWidth:0px; status:no; help:no");
                        }
                        else {
                                popwin.blur();
                        }
                                                self.focus();
                        poped = true;
                }
                else {
                        if (window.Event) document.captureEvents(Event.CLICK);
                        document.onclick = gopop;
                        self.focus();
                }
        }
}



When using FireFox 1.0 on Mac OS/X visiting http://www.usagreetings.com/, popups
were not blocked.

(If it means anything, the Mac install of FireFox originally has a pre-release
of 1.0 installed, but was upgraded.)

I was unable to reproduce this on a Windows machine with the same version of
FireFox, although the Windows machine has Adblock installed.

I also get the popups, using Firefox 1.0 (Mozilla/5.0 (Windows; U; Win 9x 4.90;
es-AR; rv:1.7.5) Gecko/20041108 Firefox/1.0). But the weird thing, is after
getting the popups (4 in total, for ngemu.com), Firefox hangs by about 30
seconds with 100% CPU usage, on a Celeron 700, with 112MB of RAM, and WinMe with
ALL latest security patches applied. It seems that PayPopup.com is using a more
aggresive popup system, making the sites almost un-browse-able, AND FORCING THE
USERS TO SEE THE DAMN POPUPS!.

Firefox is fooled this time, and in a very "dirt" way.
Please try moving or deleting the firefox directory from your home directory
and starting from scratch -- or re-importing your preferences from mozilla.

This completely solved the popup problem for me.  There seem to be some
important issues when using a new version of firefox with your old preferences
file.
It doesn't matter what version of Firefox is being used. I just installed the
latest build and erased my entire profile, but despite all that trouble it still
works. Oddly enough, Internet Explorer running under Windows XP with the SP2
upgrade actually blocks the pop-up.

Unlike the onClick() pop-ups that are starting to show up, this uses another
kind of exploit that starts as soon as the mouse clicks somewhere, then sets up
a timer of sorts to continue popping up windows safely.
Another example of this can be seen at http://www.vgmuseum.com/ where clicking
on most links loads a frame and the main window launches some script that
presents the popups.  The script comes from
http://www.PayPopup.com/popup.php?id=ztnet&pop=enter&t=5&subid=8295&blk=1 and
appears to just sniff your useragent and perform different events based on what
it finds.

 document.cookie = 'oneinone=yes';
 function blockError(){
        return true;
}
window.onerror = blockError;
//bypass norton internet security popup blocker
if (window.SymRealWinOpen){
        window.open = SymRealWinOpen;
}
if (window.NS_ActualOpen) {
        window.open = NS_ActualOpen;
}
var paypopupURL =
"http://www6.paypopup.com/loading.php?id=ztnet&pop=exit&t=&subid=&tid=1108409135&pip=24.58.21.178"+"&ref="+escape(self.location);
var usingClick = false;
var popwin = null;
var poped = false;
function gopop() {
	if (!poped) {
		popwin =
window.open(paypopupURL,'Ads1108409135','scrollbars=1,resizable=1,menubar=1,location=1,top=10000,left=10000,width=1,height=1');
		poped = true;
		self.focus();
	}
}
function paypopup(){
	if (!poped) {
		if(!usingClick) {
			popwin =
window.open(paypopupURL,'Ads1108409135','scrollbars=1,resizable=1,menubar=1,location=1,top=10000,left=10000,width=1,height=1');
			self.focus();
			if (popwin) {
				poped = true;
			}
		}
	}
	if (!poped) {
		if (window.Event) document.captureEvents(Event.CLICK);
		document.onclick = gopop;
		self.focus();
	}
}
function version() {
        usingClick = ((window.navigator.userAgent.indexOf("SV1") != -1) ||
(window.navigator.userAgent.indexOf("Opera") != -1) ||
(window.navigator.userAgent.indexOf("Firefox") != -1));
}
version();
if(!usingClick) {
	onunload = paypopup;
}
else {
	if (window.Event) document.captureEvents(Event.CLICK);
	document.onclick = gopop;
}
self.focus();
I've found another site that exploits this bug:
http://www.w3schools.com/css/css_positioning.asp

While LEFT-clicking opens the pop-up, MIDDLE-clicking (to open in a new tab)
does not work. However, it's fairly evident that this bug will soon get out of
control, considering how well-known it is. I've seen Bugzilla reports over a
year old describing this bug, and unfortunately many have been marked with a
"will-not-fix" status. To be frank, this is unacceptable, especially since
Internet Explorer SP2 blocks the pop-ups (pop-ups are eventually made using
another IE-specific exploit, but that's beyond the point).

Here's my suggestion: let's say an event is triggered when a link (the "A" tag)
is clicked. If that "A" tag contains an HREF parameter that points to another
web site, it should block the pop-up. The same should apply for form buttons.
I'm having the same problem with a Netflix popup that just won't quit no matter
what I try.  It seems to be activated by my opening email from any one on my
recipient list...adblock is not working.  I gave a detailed explanation in my
submission of bug# 282284.  It's so similar to this report that perhaps they
should be combined.  We need a fix FAST or else I'm gonna have to go back to
Internet Explorer.  I did not have this problem with it.  
(In reply to comment #11)
> I'm having the same problem with a Netflix popup that just won't quit no matter
> what I try.  It seems to be activated by my opening email from any one on my
> recipient list...adblock is not working.  I gave a detailed explanation in my
> submission of bug# 282284.  It's so similar to this report that perhaps they
> should be combined.  We need a fix FAST or else I'm gonna have to go back to
> Internet Explorer.  I did not have this problem with it.  

That's a tad different...though bug# 281472 is still at large:

https://bugzilla.mozilla.org/show_bug.cgi?id=281472
I think this is the gist of what is happening, take my code and put it in a
small html file and run it and if you click anywhere in the page you will get a
popup. Hope this helps.

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<TITLE>Test Firefox hole</TITLE>
<script language="Javascript">
document.onclick = redirect;
function redirect(evt)
{
	var xwin = window.open("http://www.yahoo.com");
	xwin.focus();
	return true;
}
</script>
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#FF0000" VLINK="#800000"
ALINK="#FF00FF" BACKGROUND="?">
<div id="test">
</div>
</BODY>
</HTML>

Firefox also fails to block popunders on this site:

www.vastbeyond.com/portal1.htm


(In reply to comment #14)
> Firefox also fails to block popunders on this site:
> 
> www.vastbeyond.com/portal1.htm
> 
> 

Right, see bug# 281472.
https://bugzilla.mozilla.org/show_bug.cgi?id=281472
Blocks: pop-up-arms-race
I've experienced this bug at http://www.zophar.net/ as well. It appears to be
triggered by a javascript click event OUTSIDE a link. It deserves to be fixed
since it is not link-related and is triggered by other actions like selecting
text. Here's a test page I've prepared that shows the bug is reproducible
(method used by paypopup):

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Mozilla Firefox Popup Exploit!</title>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<SCRIPT LANGUAGE="JavaScript" TYPE="text/javascript"><!--
function dopop(){
if (!haspopped){
window.open('http://www.seizurerobots.com/','somethingwindow',
'scrollbars=1,resizable=1,menubar=1,location=1,top=100,left=100,width=320,height=240');
haspopped = true; // only trigger it once to be more elusive...}}
//--></SCRIPT>
<script type="text/javascript"><!--
document.onclick = dopop;
var haspopped = false;
//--></SCRIPT>
</head>
<body>
<h1>A demo of the Mozilla/Firefox popup blocking exploit</h1>
<p>Mozilla Firefox has a flaw in its popup blocking capabilities
which allows a page to load a popup, using JavaScript, through
a page's click event. This unsolicited because it's triggered
by an unrelated action performed by the user, such as making a
text selection.</p>
<p>The popup does not display at all if the user right-clicks
first. This is because Mozilla blocks popups triggered by
onClick if they're from a right-click but not a left.</p>
<p>This bug has been tested in Firefox 1.01 and the Suite 1.7,
both on Windows XP Pro SP2, where it is fully reproducible.</p>
</body>
</html>


<body>
<h1>A demo of the Mozilla/Firefox popup blocking exploit</h1>
<p>Mozilla Firefox has a flaw in its popup blocking capabilities
which allows a page to load a popup, using JavaScript, through
a page's click event. This unsolicited because it's triggered
by an unrelated action performed by the user, such as making a
text selection.</p>
<p>The popup does not display at all if the user right-clicks
first. This is because Mozilla blocks popups triggered by
onClick if they're from a right-click but not a left.</p>
<p>This bug has been tested in Firefox 1.01 and the Suite 1.7,
both on Windows XP Pro SP2, where it is fully reproducible.</p>
</body>
</html>


(In reply to comment #16)

Whoops, copy/paste got messed. Example ends at the </html>.
Test case. Click inside the page to cause a popup. Variable names are the same
as in the paypopup.com code.
(In reply to comment #18) 
> Created an attachment (id=180085) [edit] 
> testcase: click on the page to cause a popup. 
>  
> Test case. Click inside the page to cause a popup. Variable names are the 
same 
> as in the paypopup.com code. 
 
This works even on konqueror! 
*** Bug 289772 has been marked as a duplicate of this bug. ***
Firefox 1.0.3/WinXP Pro SP1 full updates

Unable to blockup popup while accessing: http://pearlchan.tblog.com/ though
Firefox reported that the popup has been blocked.
Hardware: Other → All
Version: unspecified → 1.0 Branch
*** Bug 292275 has been marked as a duplicate of this bug. ***
Javascript sent back to browser to pop up window.
This is getting to be a serious problem.  Can we stop Javascript from grabbing
events?
*** Bug 295551 has been marked as a duplicate of this bug. ***
*** Bug 288691 has been marked as a duplicate of this bug. ***
need testcase keyword
Similar to this bug, the website www.smh.com.au has changed their popup code
recently. The popups were getting stopped by Firefox, but today when I went
there the popups were not getting blocked. I don't know what the code is that is
causing the popup to function.
Assignee: firefox → nobody
Version: 1.0 Branch → Trunk
I have popups occuring intermittently, but most recently at this URL:
http://www.cibomatto.com/
Popups are blocked with my version.
Guess they have fixed the bug !!

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20050818
Firefox/1.6a1
I'm using 1.06 on WinXP still problem with

http://www.torrentreactor.com/
http://isohunt.com/(In reply to comment #30)
*** Bug 299585 has been marked as a duplicate of this bug. ***
Ok I looked into these popup that are still getting through the popup blocker. And i know at least one method that is getting through the blocker, and it should be fairly easy to detect and stop. The offending code takes advanage of document.write, (which usually can be succesfully blacked) the difference in the way they call 

(document.write('<SCRI'+'PT LANGUAGE="JavaScript1.1" '); 
 or
(document.write('<SCRI'+'PT src='http://somecode.com/ad.js'" '); 

by seperating the code to be printed (within the actual tag), they are able to execute popups and defeat the blocker.

If a developer could add this type of popup to the blocker we are good. And as a suggestion it would be great if the blocker had a way to add new detection methods in a setting or something )without having to wait for the firefox to be patched. And one more suggestion a blocker whitelist in addition to the blacklist would be cool to (it would make blocking a lot easier)
That is not the problem. It'll still interpret an unrequested popup as an unrequested popup, except in the case of when a script hooks onto the "onClick" property (which is what PayPopup.com does).

(In reply to comment #33)
> Ok I looked into these popup that are still getting through the popup blocker.
> And i know at least one method that is getting through the blocker, and it
> should be fairly easy to detect and stop. The offending code takes advanage of
> document.write, (which usually can be succesfully blacked) the difference in
> the way they call 
> 
> (document.write('<SCRI'+'PT LANGUAGE="JavaScript1.1" '); 
>  or
> (document.write('<SCRI'+'PT src='http://somecode.com/ad.js'" '); 
> 
> by seperating the code to be printed (within the actual tag), they are able to
> execute popups and defeat the blocker.
> 
> If a developer could add this type of popup to the blocker we are good. And as
> a suggestion it would be great if the blocker had a way to add new detection
> methods in a setting or something )without having to wait for the firefox to be
> patched. And one more suggestion a blocker whitelist in addition to the
> blacklist would be cool to (it would make blocking a lot easier)
> 
I can confirm this one: I went to http://www.usagreetings.com/ and was presented with a popup (but only on the first visit; when I tried again a few minutes later, there was no popup).

This popup had a normal window border, in contrast to the popup-blocker failures I get from pcworld.com (those lack a normal border).

Using Mozilla 1.80b (Windows; U; Win98; en-US; rv:1.8b) Gecko/20050217) on Win98. Set to block all popups (no sites allowed). No other blockers installed.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → DUPLICATE
AFAICT, this is NOT a duplicate (at least from the user perspective). Bug 212163 requires that the user click somewhere on the page to trigger the unwanted popup. In the examples cited hereabove, one need only GO to the site, and need not click anything, nonetheless up comes the popup all by itself.

I've seen others like this since I wrote the previous bug-comment, but didn't record where I was.
Rez, most of the comments here are talking about paypopup.com using an onclick popup.  If you're seeing something different (even if it's associated with paypopup.com) I think you should file a separate bug report.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: