Last Comment Bug 270867 - popup blocker fails to block popup (PayPopup.com)
: popup blocker fails to block popup (PayPopup.com)
Status: RESOLVED DUPLICATE of bug 212163
:
Product: Firefox
Classification: Client Software
Component: General (show other bugs)
: Trunk
: All All
: -- normal with 10 votes (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
:
Mentors:
http://ngemu.com/
: 288691 289772 292275 295551 299585 (view as bug list)
Depends on:
Blocks: pop-up-arms-race
  Show dependency treegraph
 
Reported: 2004-11-19 13:06 PST by Miguel Angel
Modified: 2007-07-23 05:03 PDT (History)
10 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
testcase: click on the page to cause a popup. (466 bytes, text/html)
2005-04-08 11:46 PDT, Keith Hardman
no flags Details
Javascript sent from paypopup.com (1.91 KB, text/plain)
2005-05-02 11:56 PDT, Kelly Price
no flags Details

Description Miguel Angel 2004-11-19 13:06:15 PST
User-Agent:       Mozilla/5.0 (compatible; Konqueror/3.2) (KHTML, like Gecko)
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041109 Firefox/1.0

When the page at http://ngemu.com/ starts, the popup is catched, but if you 
click on one of the console's links, a popup opens. 
Tested with mozilla 1.6 too. 

Reproducible: Always
Steps to Reproduce:
1.Open http://ngemu.com/ with firefox 
2.Once the page is loaded (popup has been blocked), click on a console link 
(i.e. dreamcast) 
3.Popup will open at the right lower corner of the screen 
 
Actual Results:  
Popup opens 

Expected Results:  
Popup blocked 

Javascript code in the page: 
 
<script language="JavaScript"> 
 function Fullsize(adress, iwidth, iheight) { 
    var newurl = '' + adress; 
    var params = 'toolbars=0, scrollbars=0, location=0, statusbars=0, ' + 
                 'width=' + iwidth+ ', height=' + iheight 
                 + ' menubars=0, resizable=0, left=0, top=0'; 
    newwindow=window.open(newurl, 'fullimg', params); 
 } 
//--> 
</script> 
 
<SCRIPT LANGUAGE="JavaScript" TYPE="text/javascript"> 
       <!-- 
       function getto(form, i) { 
       var site = form.elements[i].selectedIndex; 
             if ( site >= 0 ) { 
          top.location = 
form.elements[i].options[site].value; 
          } 
       } 
       // --> 
          </SCRIPT> 
<!-- PayPopup.com Popup Blocker Detector Begin --> 
<script> 
var PB = false; 
function failed() {PB=true;} 
var firstPop = 
window.open("about:blank","paypopuptest","width=1,height=1,left=5000,top=5000",true); 
window.onerror=failed 
var secondPop = window.open("about:blank","paypopuptest","width=1,height=1"); 
if(firstPop == secondPop) PB=false; 
else PB=true; 
firstPop.blur(); 
firstPop.close(); 
window.onerror=null; 
 
</script> 
<!-- PayPopup.com Popup Blocker Detector End --> 
<!-- PayPopup.com Advertising Code Begin --> 
<script language="JavaScript">  
var paypopup_clicked = false; 
function gopaypopup(){ 
 if(paypopup_clicked==false){ 
  paypopup_clicked=true; 
  paypopup(); 
 } 
} 
 
if (PB) { 
 //Pop-Under Code Here 
 document.write('<SCRI'+'PT LANGUAGE="JavaScript1.1" ');  
 document.write(' 
SRC="http://www.PayPopup.com/popup.php?id=Bobbi&pop=enter&t=5&subid=7130">');  
 document.write('</SCR'+'IPT>');  
 //Pop-Under Code End 
 dl = document.links; 
 for (i=0; i< dl.length; i++) { 
  if (dl[i].onclick==null && dl[i].target==""){ dl[i].onclick = 
gopaypopup; } 
 } 
}else{ 
 //Pop-Under Code Here 
  document.write('<SCRI'+'PT LANGUAGE="JavaScript1.1" ');  
  document.write(' 
SRC="http://www.PayPopup.com/popup.php?id=Bobbi&pop=enter&t=5&subid=7130">');  
  document.write('</SCR'+'IPT>');  
  //Pop-Under Code End 
} 
</SCRIPT> 
<!-- PayPopup.com Advertising Code End --> 
 
 
Popup code: 
<HTML> 
<HEAD> 
<TITLE>Advertising_Loading_Window...</TITLE> 
<script language="JavaScript"> 
<!-- 
GoHideMe(); 
function gopopup(){ 
   delCookie(); 
   var popURL= 
"http://www1.paypopup.com/links.php?id=Bobbi&pk=&subid=7130&tid=w3119u251751&ref=aHR0cDovL25nZW11LmNvbS9nYmEv&pip=&ip=&22222=1"; 
   self.location = popURL; 
self.blur(); 
} 
function GoHideMe(){ 
        self.blur(); 
        self.moveTo(10000,10000); 
        self.resizeTo(1,1); 
        self.blur(); 
  if (navigator.appName=="Netscape") { 
if(window.opener){ 
window.opener.focus(); 
} 
} 
} 
function delCookie(){ 
        document.cookie="active=0;"; 
} 
function ReadCookie(cookieName) { 
 var theCookie=""+document.cookie; 
 var ind=theCookie.indexOf(cookieName); 
 if (ind==-1 || cookieName=="") return ""; 
 var ind1=theCookie.indexOf(';',ind); 
 if (ind1==-1) ind1=theCookie.length; 
 return unescape(theCookie.substring(ind+cookieName.length+1,ind1)); 
} 
//close the window 
if (ReadCookie("popupnum") > 4 || ReadCookie("active") == 1 ){ 
  self.close(); 
} 
document.cookie = "active=1"; 
//read the popup cookie 
var popupnum = ReadCookie("popupnum"); 
if (popupnum == ""){ 
    document.cookie = "popupnum=1"; 
} 
window.setTimeout("gopopup();", 5000); 
// --> 
</script> 
</HEAD> 
<BODY onFocus="GoHideMe();" BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" 
VLINK="#800080"  onUnload="delCookie();"> 
<small>Advertising Loading Window, Powered by <a href="http://paypopup.com" 
target=_blank>paypopup.com</a></small><br> 
<img 
src="http://test.yesadvertising.com/links.php?aid=12&pid=1005&cid=1308&lid=1" 
width=1 height=1> 
</BODY> 
</HTML>
Comment 1 Andrea Cavaliero 2004-12-22 07:46:24 PST
just tried this... popup gets closed. I'm using Firefox 1.0 on windows.
You can safely close this bug.
Comment 2 Andrea Cavaliero 2004-12-22 07:50:25 PST
(In reply to comment #1)
> just tried this... popup gets closed. I'm using Firefox 1.0 on windows.
> You can safely close this bug.

sorry i was wrong, it actually took some time for the popup to open, so i didn't
notice it.

I think there should be a unique bugreport for all the problems with popup
blocking not working, so maybe this should be merged with #253831
Comment 3 Eddie Noragong 2004-12-24 06:52:27 PST
I've been using Firefox for about 2 months now, without any sign of popups till
3 days ago.  It doesn't matter what site I go to, same behavior : page opens
fine, sometimes with a notice that popup was blocked; but, for at least the
first click, on any console/banner links, a popup occurs.  I don't know how to
look at the popup's source (CNTL-U doesn't work), but I suspect that the problem
is a hiole in firefox code, exploited by client side code.  The primary reason
for this is that these popups are occuring from my own web site, but only when
using one of my PCs, an XP, running SP2.  My daughter indiscrimanently surfs the
web, and my step son openly accesses sex sites (he's moving out soon for it
too), so perhaps they are picking up spyware that exploits a weakness in firefox
code.  Are there any Windows firewall settings that I should check?
Comment 4 Covarde_Anonimo 2005-01-02 07:34:41 PST
this bug also happens with mozilla suite runnig in linux.

steps to reproduce:

1- in a recent linux distro, download latest nightly build (i'm using Mozilla
1.8a6 Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8a6) Gecko/20050101)

2- access http://www.animetorrents.com. two popups will be blocked, one ath the
begging other at the end of the loading proccess.

3- keep open some task/window list (in windowmaker click with the midle button
in an empty desktop space, in KDE/Gnome keep an eye in the task bar) and click
in "Bittorrent Downloads"

4- a very small window will apear at the lower left side of the desktop, then
grow to fill the screen.

software used:

- Debian GNU/linux unstable (SID)
- Windowmaker 0.9.1
- Mozilla suite - Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8a6) Gecko/20050101

Javascript found in http://www.animetorrents.com:

at the begining of the page:

<!-- PayPopup.com Popup Blocker Detector Begin -->
<script>
var PB = false;
function failed() {PB=true;}

var firstPop =
window.open("","paypopuptest","width=1,height=1,left=5000,top=5000",true);
window.onerror=failed
var secondPop = window.open("","paypopuptest","width=1,height=1");
if(firstPop == secondPop) PB=false;
else PB=true;
firstPop.blur(); 
firstPop.close(); 
window.onerror=null;
</script>
<!-- PayPopup.com Popup Blocker Detector End -->

At the end of the page:
<!-- PayPopup.com Advertising Code End -->
<SCRIPT LANGUAGE="JavaScript1.1">
var paypopup_clicked = false;
function gopaypopup(){
	if(paypopup_clicked==false){
		paypopup_clicked=true;
		paypopup();
	}
}

if (PB) {
	//Pop-Under Code Here
	document.write('<SCRI'+'PT LANGUAGE="JavaScript1.1" '); 
	document.write('
SRC="http://www.PayPopup.com/popup.php?id=Sarke&pop=enter&t=5&subid=8214">'); 
	document.write('</SCR'+'IPT>'); 
	//Pop-Under Code End
	dl = document.links;
	for (i=0; i< dl.length; i++) {
		if (dl[i].onclick==null && dl[i].target==""){ dl[i].onclick = gopaypopup; }
	}
}else{
	//Pop-Under Code Here
		document.write('<SCRI'+'PT LANGUAGE="JavaScript1.1" '); 
		document.write('
SRC="http://www.PayPopup.com/popup.php?id=Sarke&pop=enter&t=5&subid=8214">'); 
		document.write('</SCR'+'IPT>'); 
		//Pop-Under Code End
}
</script>
<!-- PayPopup.com Advertising Code End -->


I'm not a javascript expert, but i believe the mangled '<SCRI'+'PT
LANGUAGE="JavaScript1.1" ' is used to load
http://www2.paypopup.com/popup.php?id=Sarke&pop=enter&t=5&subid=8214&blk=1 wich
then does the "magic", so i believe the later URL should be checked, specially
this part wich I believe is the one that intercepts mouse clicks on links:

function paypopup(){
        if (!poped) {
                if(!usingXPSP2) {
                       
popwin=window.open(paypopupURL,'Ads1104679600','scrollbars=1,resizable=1,menubar=1,location=1,top=10000,left=10000,width=1,height=1');
                        var
popV2="scrollbars=1,resizable=1,menubar=1,location=1,top=10000,left=10000,width=1,height=1";
                                                if(!popwin) {
                                window.showModelessDialog("javascript:function
er(){return true;} window.onerror = er; function
p(){setTimeout(\"window.open('"+paypopupURL+"','1104679600', '"+popV2+"', true);
self.close();\",100);} p();","","dialogtop=2999; dialogleft=2999;
dialogheight:0px; dialogWidth:0px; status:no; help:no");
                        }
                        else {
                                popwin.blur();
                        }
                                                self.focus();
                        poped = true;
                }
                else {
                        if (window.Event) document.captureEvents(Event.CLICK);
                        document.onclick = gopop;
                        self.focus();
                }
        }
}


Comment 5 Robert Rothenberg 2005-01-03 06:48:30 PST
When using FireFox 1.0 on Mac OS/X visiting http://www.usagreetings.com/, popups
were not blocked.

(If it means anything, the Mac install of FireFox originally has a pre-release
of 1.0 installed, but was upgraded.)

I was unable to reproduce this on a Windows machine with the same version of
FireFox, although the Windows machine has Adblock installed.
Comment 6 Tom Maneiro 2005-01-13 16:04:09 PST
I also get the popups, using Firefox 1.0 (Mozilla/5.0 (Windows; U; Win 9x 4.90;
es-AR; rv:1.7.5) Gecko/20041108 Firefox/1.0). But the weird thing, is after
getting the popups (4 in total, for ngemu.com), Firefox hangs by about 30
seconds with 100% CPU usage, on a Celeron 700, with 112MB of RAM, and WinMe with
ALL latest security patches applied. It seems that PayPopup.com is using a more
aggresive popup system, making the sites almost un-browse-able, AND FORCING THE
USERS TO SEE THE DAMN POPUPS!.

Firefox is fooled this time, and in a very "dirt" way.
Comment 7 walter sheets 2005-02-06 15:28:44 PST
Please try moving or deleting the firefox directory from your home directory
and starting from scratch -- or re-importing your preferences from mozilla.

This completely solved the popup problem for me.  There seem to be some
important issues when using a new version of firefox with your old preferences
file.
Comment 8 Tokachu 2005-02-13 00:37:34 PST
It doesn't matter what version of Firefox is being used. I just installed the
latest build and erased my entire profile, but despite all that trouble it still
works. Oddly enough, Internet Explorer running under Windows XP with the SP2
upgrade actually blocks the pop-up.

Unlike the onClick() pop-ups that are starting to show up, this uses another
kind of exploit that starts as soon as the mouse clicks somewhere, then sets up
a timer of sorts to continue popping up windows safely.
Comment 9 bugzilla 2005-02-14 11:48:06 PST
Another example of this can be seen at http://www.vgmuseum.com/ where clicking
on most links loads a frame and the main window launches some script that
presents the popups.  The script comes from
http://www.PayPopup.com/popup.php?id=ztnet&pop=enter&t=5&subid=8295&blk=1 and
appears to just sniff your useragent and perform different events based on what
it finds.

 document.cookie = 'oneinone=yes';
 function blockError(){
        return true;
}
window.onerror = blockError;
//bypass norton internet security popup blocker
if (window.SymRealWinOpen){
        window.open = SymRealWinOpen;
}
if (window.NS_ActualOpen) {
        window.open = NS_ActualOpen;
}
var paypopupURL =
"http://www6.paypopup.com/loading.php?id=ztnet&pop=exit&t=&subid=&tid=1108409135&pip=24.58.21.178"+"&ref="+escape(self.location);
var usingClick = false;
var popwin = null;
var poped = false;
function gopop() {
	if (!poped) {
		popwin =
window.open(paypopupURL,'Ads1108409135','scrollbars=1,resizable=1,menubar=1,location=1,top=10000,left=10000,width=1,height=1');
		poped = true;
		self.focus();
	}
}
function paypopup(){
	if (!poped) {
		if(!usingClick) {
			popwin =
window.open(paypopupURL,'Ads1108409135','scrollbars=1,resizable=1,menubar=1,location=1,top=10000,left=10000,width=1,height=1');
			self.focus();
			if (popwin) {
				poped = true;
			}
		}
	}
	if (!poped) {
		if (window.Event) document.captureEvents(Event.CLICK);
		document.onclick = gopop;
		self.focus();
	}
}
function version() {
        usingClick = ((window.navigator.userAgent.indexOf("SV1") != -1) ||
(window.navigator.userAgent.indexOf("Opera") != -1) ||
(window.navigator.userAgent.indexOf("Firefox") != -1));
}
version();
if(!usingClick) {
	onunload = paypopup;
}
else {
	if (window.Event) document.captureEvents(Event.CLICK);
	document.onclick = gopop;
}
self.focus();
Comment 10 Tokachu 2005-02-14 13:28:16 PST
I've found another site that exploits this bug:
http://www.w3schools.com/css/css_positioning.asp

While LEFT-clicking opens the pop-up, MIDDLE-clicking (to open in a new tab)
does not work. However, it's fairly evident that this bug will soon get out of
control, considering how well-known it is. I've seen Bugzilla reports over a
year old describing this bug, and unfortunately many have been marked with a
"will-not-fix" status. To be frank, this is unacceptable, especially since
Internet Explorer SP2 blocks the pop-ups (pop-ups are eventually made using
another IE-specific exploit, but that's beyond the point).

Here's my suggestion: let's say an event is triggered when a link (the "A" tag)
is clicked. If that "A" tag contains an HREF parameter that points to another
web site, it should block the pop-up. The same should apply for form buttons.
Comment 11 graydlett 2005-02-14 20:03:35 PST
I'm having the same problem with a Netflix popup that just won't quit no matter
what I try.  It seems to be activated by my opening email from any one on my
recipient list...adblock is not working.  I gave a detailed explanation in my
submission of bug# 282284.  It's so similar to this report that perhaps they
should be combined.  We need a fix FAST or else I'm gonna have to go back to
Internet Explorer.  I did not have this problem with it.  
Comment 12 Tokachu 2005-02-16 12:48:52 PST
(In reply to comment #11)
> I'm having the same problem with a Netflix popup that just won't quit no matter
> what I try.  It seems to be activated by my opening email from any one on my
> recipient list...adblock is not working.  I gave a detailed explanation in my
> submission of bug# 282284.  It's so similar to this report that perhaps they
> should be combined.  We need a fix FAST or else I'm gonna have to go back to
> Internet Explorer.  I did not have this problem with it.  

That's a tad different...though bug# 281472 is still at large:

https://bugzilla.mozilla.org/show_bug.cgi?id=281472
Comment 13 Tonetheman 2005-02-16 22:29:25 PST
I think this is the gist of what is happening, take my code and put it in a
small html file and run it and if you click anywhere in the page you will get a
popup. Hope this helps.

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<TITLE>Test Firefox hole</TITLE>
<script language="Javascript">
document.onclick = redirect;
function redirect(evt)
{
	var xwin = window.open("http://www.yahoo.com");
	xwin.focus();
	return true;
}
</script>
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#FF0000" VLINK="#800000"
ALINK="#FF00FF" BACKGROUND="?">
<div id="test">
</div>
</BODY>
</HTML>
Comment 14 mike brown 2005-02-17 14:30:56 PST
Firefox also fails to block popunders on this site:

www.vastbeyond.com/portal1.htm

Comment 15 Tokachu 2005-02-17 15:14:46 PST
(In reply to comment #14)
> Firefox also fails to block popunders on this site:
> 
> www.vastbeyond.com/portal1.htm
> 
> 

Right, see bug# 281472.
https://bugzilla.mozilla.org/show_bug.cgi?id=281472
Comment 16 Greg Edwards 2005-02-26 12:20:15 PST
I've experienced this bug at http://www.zophar.net/ as well. It appears to be
triggered by a javascript click event OUTSIDE a link. It deserves to be fixed
since it is not link-related and is triggered by other actions like selecting
text. Here's a test page I've prepared that shows the bug is reproducible
(method used by paypopup):

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Mozilla Firefox Popup Exploit!</title>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<SCRIPT LANGUAGE="JavaScript" TYPE="text/javascript"><!--
function dopop(){
if (!haspopped){
window.open('http://www.seizurerobots.com/','somethingwindow',
'scrollbars=1,resizable=1,menubar=1,location=1,top=100,left=100,width=320,height=240');
haspopped = true; // only trigger it once to be more elusive...}}
//--></SCRIPT>
<script type="text/javascript"><!--
document.onclick = dopop;
var haspopped = false;
//--></SCRIPT>
</head>
<body>
<h1>A demo of the Mozilla/Firefox popup blocking exploit</h1>
<p>Mozilla Firefox has a flaw in its popup blocking capabilities
which allows a page to load a popup, using JavaScript, through
a page's click event. This unsolicited because it's triggered
by an unrelated action performed by the user, such as making a
text selection.</p>
<p>The popup does not display at all if the user right-clicks
first. This is because Mozilla blocks popups triggered by
onClick if they're from a right-click but not a left.</p>
<p>This bug has been tested in Firefox 1.01 and the Suite 1.7,
both on Windows XP Pro SP2, where it is fully reproducible.</p>
</body>
</html>


<body>
<h1>A demo of the Mozilla/Firefox popup blocking exploit</h1>
<p>Mozilla Firefox has a flaw in its popup blocking capabilities
which allows a page to load a popup, using JavaScript, through
a page's click event. This unsolicited because it's triggered
by an unrelated action performed by the user, such as making a
text selection.</p>
<p>The popup does not display at all if the user right-clicks
first. This is because Mozilla blocks popups triggered by
onClick if they're from a right-click but not a left.</p>
<p>This bug has been tested in Firefox 1.01 and the Suite 1.7,
both on Windows XP Pro SP2, where it is fully reproducible.</p>
</body>
</html>

Comment 17 Greg Edwards 2005-03-02 21:20:13 PST
(In reply to comment #16)

Whoops, copy/paste got messed. Example ends at the </html>.
Comment 18 Keith Hardman 2005-04-08 11:46:41 PDT
Created attachment 180085 [details]
testcase: click on the page to cause a popup.

Test case. Click inside the page to cause a popup. Variable names are the same
as in the paypopup.com code.
Comment 19 Miguel Angel 2005-04-08 13:16:12 PDT
(In reply to comment #18) 
> Created an attachment (id=180085) [edit] 
> testcase: click on the page to cause a popup. 
>  
> Test case. Click inside the page to cause a popup. Variable names are the 
same 
> as in the paypopup.com code. 
 
This works even on konqueror! 
Comment 20 Gabriel Chadwick 2005-04-10 13:39:23 PDT
*** Bug 289772 has been marked as a duplicate of this bug. ***
Comment 21 Luu Nhat Huy 2005-04-22 09:02:43 PDT
Firefox 1.0.3/WinXP Pro SP1 full updates

Unable to blockup popup while accessing: http://pearlchan.tblog.com/ though
Firefox reported that the popup has been blocked.
Comment 22 :Gavin Sharp [email: gavin@gavinsharp.com] 2005-04-28 16:14:08 PDT
*** Bug 292275 has been marked as a duplicate of this bug. ***
Comment 23 Kelly Price 2005-05-02 11:56:43 PDT
Created attachment 182414 [details]
Javascript sent from paypopup.com

Javascript sent back to browser to pop up window.
Comment 24 Kelly Price 2005-05-02 12:01:31 PDT
This is getting to be a serious problem.  Can we stop Javascript from grabbing
events?
Comment 25 Jo Hermans 2005-05-26 01:43:57 PDT
*** Bug 295551 has been marked as a duplicate of this bug. ***
Comment 26 Josh Birnbaum 2005-05-26 23:51:32 PDT
*** Bug 288691 has been marked as a duplicate of this bug. ***
Comment 27 Thomas Bertels 2005-06-05 05:07:14 PDT
need testcase keyword
Comment 28 Fuck You 2005-06-21 18:23:42 PDT
Similar to this bug, the website www.smh.com.au has changed their popup code
recently. The popups were getting stopped by Firefox, but today when I went
there the popups were not getting blocked. I don't know what the code is that is
causing the popup to function.
Comment 29 Josh 2005-08-10 19:06:33 PDT
I have popups occuring intermittently, but most recently at this URL:
http://www.cibomatto.com/
Comment 30 bakuryu 2005-08-21 06:14:58 PDT
Popups are blocked with my version.
Guess they have fixed the bug !!

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20050818
Firefox/1.6a1
Comment 31 Eduardo 2005-09-17 20:10:00 PDT
I'm using 1.06 on WinXP still problem with

http://www.torrentreactor.com/
http://isohunt.com/(In reply to comment #30)
Comment 32 Boris Zbarsky [:bz] 2005-10-30 17:33:00 PST
*** Bug 299585 has been marked as a duplicate of this bug. ***
Comment 33 dylan.thurston@gmail.com 2005-11-15 13:21:06 PST
Ok I looked into these popup that are still getting through the popup blocker. And i know at least one method that is getting through the blocker, and it should be fairly easy to detect and stop. The offending code takes advanage of document.write, (which usually can be succesfully blacked) the difference in the way they call 

(document.write('<SCRI'+'PT LANGUAGE="JavaScript1.1" '); 
 or
(document.write('<SCRI'+'PT src='http://somecode.com/ad.js'" '); 

by seperating the code to be printed (within the actual tag), they are able to execute popups and defeat the blocker.

If a developer could add this type of popup to the blocker we are good. And as a suggestion it would be great if the blocker had a way to add new detection methods in a setting or something )without having to wait for the firefox to be patched. And one more suggestion a blocker whitelist in addition to the blacklist would be cool to (it would make blocking a lot easier)
Comment 34 Tokachu 2005-11-15 13:41:28 PST
That is not the problem. It'll still interpret an unrequested popup as an unrequested popup, except in the case of when a script hooks onto the "onClick" property (which is what PayPopup.com does).

(In reply to comment #33)
> Ok I looked into these popup that are still getting through the popup blocker.
> And i know at least one method that is getting through the blocker, and it
> should be fairly easy to detect and stop. The offending code takes advanage of
> document.write, (which usually can be succesfully blacked) the difference in
> the way they call 
> 
> (document.write('<SCRI'+'PT LANGUAGE="JavaScript1.1" '); 
>  or
> (document.write('<SCRI'+'PT src='http://somecode.com/ad.js'" '); 
> 
> by seperating the code to be printed (within the actual tag), they are able to
> execute popups and defeat the blocker.
> 
> If a developer could add this type of popup to the blocker we are good. And as
> a suggestion it would be great if the blocker had a way to add new detection
> methods in a setting or something )without having to wait for the firefox to be
> patched. And one more suggestion a blocker whitelist in addition to the
> blacklist would be cool to (it would make blocking a lot easier)
> 
Comment 35 Rez 2007-03-15 19:55:47 PDT
I can confirm this one: I went to http://www.usagreetings.com/ and was presented with a popup (but only on the first visit; when I tried again a few minutes later, there was no popup).

This popup had a normal window border, in contrast to the popup-blocker failures I get from pcworld.com (those lack a normal border).

Using Mozilla 1.80b (Windows; U; Win98; en-US; rv:1.8b) Gecko/20050217) on Win98. Set to block all popups (no sites allowed). No other blockers installed. 

Comment 36 Jesse Ruderman 2007-07-22 02:42:09 PDT

*** This bug has been marked as a duplicate of bug 212163 ***
Comment 37 Rez 2007-07-23 02:45:35 PDT
AFAICT, this is NOT a duplicate (at least from the user perspective). Bug 212163 requires that the user click somewhere on the page to trigger the unwanted popup. In the examples cited hereabove, one need only GO to the site, and need not click anything, nonetheless up comes the popup all by itself.

I've seen others like this since I wrote the previous bug-comment, but didn't record where I was.
Comment 38 Jesse Ruderman 2007-07-23 05:03:20 PDT
Rez, most of the comments here are talking about paypopup.com using an onclick popup.  If you're seeing something different (even if it's associated with paypopup.com) I think you should file a separate bug report.

Note You need to log in before you can comment on or make changes to this bug.