Closed Bug 272218 Opened 20 years ago Closed 20 years ago

page opens IE (!!) windows by javascript despite blocked popups

Categories

(SeaMonkey :: General, defect)

Product:
SeaMonkey
Component:
General
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: wefa, Unassigned)

References

(
URL
)

Details

(Whiteboard: [sg:needinfo]) 

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.3) Gecko/20040910
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.3) Gecko/20040910

This Page opens one or two  MS Internet Explorer windows on my desktop upon
viewing in Mozilla (id est: without any click). IE did not run before. This may
be relatetd to a Cisco ad on the page. The url in the window is
"javascript:tz_expand_00003007(0)". I have popups blocking activated.

Mozilla is more or less standard installed, I have *not* deactivated any
security related features.

I tried multiple times (reload), getting the same result.

Given the obvious security implications of this ability I consider this a
serious problem.


Reproducible: Always
Steps to Reproduce:
1. Open page in Mozilla
2. Wait ~ 10 sec
3.

Actual Results:  
Internet Explorer Window opens with URL "javascript:tz_expand_00003007(0)"

Expected Results:  
Nothing.
I suspect this is a result of IE being the handler for javascript URLs. Firefox
doesn't register itself as a handler of these URL types so the application which
is the handler will launch to load that URL. 

This is probably a duplicate of bug 241387 and I don't see any immediate
security issue here so I don't think this should be in the security bug group.


this is nonsense.

If a web site displayed in Mozilla can open IE and make it execute js code, than
mozilla inherits all security issues ie has.  

This is not Firefox but Mozilla 1.7.3, btw.

Claiming this is not a security bug means closing your eyes in hope the issue
will magically go away. Many people use Mozilla as a secondary or even primary
browser, while still needing a full functional IE. Mozilla Security should -
must, actually, given the state of IE and windows security - rest upon itself
and may not rely on any detail of IE installation.

WFM Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107
Firefox/1.0.

This is not a dup of bug 241387 because this would be a security issue even if
you had Internet Explorer set as your default browser.  Also, I see bug 241387
but not this bug.

Christoph, can you make a simplified testcase?
Asa is not speaking for the Mozilla Security Group here. We most definitely *DO*
see launching IE as a security problem and have fixed similar security bugs in
the past, sometimes as an emergency release (remember shell: anyone?)

bug 241387 is not relevant, that has to do with external programs--specifically
Thunderbird--launching a browser other than Firefox when clicking on a
javascript link. Firefox itself has never referred javascript URLS to an
external program, and Thunderbird is now fixed not to do so. Other programs
would still not launch Firefox so bug 241387 remains open.

*This* bug is about the suite, so bug 241387 is doubly not relevant.

All that said, like Jesse I cannot reproduce this bug. I tried Moz 1.7.2, 1.8a5,
and for kicks Firefox 1.0 (misled by comment 1). Even with the popup blocker
turned off I don't see any popup attempt.

On Firefox the Cisco ad (when I get it) appears to be an animated gif, and I see
javascript:tz_clickthrough_00003006(0,"static");void(0) in the status bar when I
mouseover. In the Mozilla suite (trunk and 1.7 branch) the image expands when I
mouseover. I buy your assumption that javascript:tz_expand_etc is related to
this ad though I didn't dig through the doubleclick ad scripts to verify.

Christoph: Is it possible your protocol handler prefs got tweaked somehow,
either experimentally, maliciously, or through some mistaken extension? Go to
about:config and filter on "network.protocol". Is javascript mentioned
explicitly in one of those settings?

If that looks ok, you might also see this symptom if somehow the javascript
handler didn't get registered. I don't know how that could occur, but here's how
to check for it:
 go to the installation directory
 find the file compreg.dat in the components subdirectory
 you should see a line with @mozilla.org/network/protocol;1?name=javascript

If you have this line I'm stumped. If you don't try forcing a component
reregistration by renaming (so we can investigate further if neccessary)
compreg.dat out of the way. Do this while the browser is shut down, and then
restart it. If a reregistration doesn't add the entry then something is broken
in your copy of the browser, you should try reinstalling.
Whiteboard: [sg:needinfo]
(In reply to comment #4)
> On Firefox the Cisco ad (when I get it) appears to be an animated gif, and I see
> javascript:tz_clickthrough_00003006(0,"static");void(0) in the status bar when I
> mouseover. In the Mozilla suite (trunk and 1.7 branch) the image expands when I
> mouseover. I buy your assumption that javascript:tz_expand_etc is related to
> this ad though I didn't dig through the doubleclick ad scripts to verify.

I had the impression when I encountered that bug that there was some flash
component involve - but I might be wrong. Unfortunately I did not get that page
again after your comment, so I can't confirm or deny anything.

I hope to get at the affected machine some time next week, and will try to
answer the rest of your questions.

(In reply to comment #4)
> Christoph: Is it possible your protocol handler prefs got tweaked somehow,
> either experimentally, maliciously, or through some mistaken extension? Go to
> about:config and filter on "network.protocol". Is javascript mentioned
> explicitly in one of those settings?

Yes. 

network.protocol-handler.external.javascript default boolean false

> [...possibly...] the javascript handler didn't get registered. [...]
>  go to the installation directory
>  find the file compreg.dat in the components subdirectory
>  you should see a line with @mozilla.org/network/protocol;1?name=javascript

hmmmm ... there are actually two such lines:

{bfc310d2-38a0-11d3-8cd3-0060b0fc14a3},@mozilla.org/network/protocol;1?name=javascript,,JavaScript
Protocol Handler,gre:gklayout.dll
@mozilla.org/network/protocol;1?name=javascript,{bfc310d2-38a0-11d3-8cd3-0060b0fc14a3}

> If you have this line I'm stumped.[...] you should try reinstalling.

Will do for sure ... some time next week, in case someone here has additional
questions.


Reluctantly WFM. If you ever see similar symptoms try to save the page.
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.