Closed Bug 281472 Opened 20 years ago Closed 19 years ago

Popups bypass Firefox popup blocker

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Version:
1.0 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: FarkFnord, Assigned: bugzilla)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0

Visiting this site will trigger a popup. I poked through the javascript, but it
looks like whatever they're doing is a complicated multi-step process. Not sure
exactly what they're doing, but it's clearly designed to bypass popup blockers.

Oh, it looks like they set a cookie to limit how often the popup is triggered.
It's easily reproducable if you clear the poststuff*.etensity.net and
paypopup.com cookies.

At least on my system, the popup is barely on the screen, only a tiny bit shows
in the lower right corner. But it does show up as a window on the XP task bar. I
dunno if it moves, or if it's there because I have the Firefox Javascript
options set to disallow moving windows.

It also seems to add three or four entries to the browser history (eg, under
"Go" menu), which seems a little odd.

It's a bit disturbing because this is the first popup I've seen in
Mozilla/Firefox for a *long* time... Many months, at least.

Reproducible: Always

Steps to Reproduce:
1. Visit URL
2. Close popup
3. Clear cookies
4. Lather, Rinse, Repeat
WFM - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b) Gecko/20050206
Firefox/1.0+
WFM Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b) Gecko/20050206
Firefox/1.0+

I see a "pop-up blocked" icon in my status bar.

> It also seems to add three or four entries to the browser history (eg, under
> "Go" menu), which seems a little odd.

The "Go" menu in Firefox displays recent entries in global history.
This is probably a dupe of Bug 270867?
(In reply to comment #3)
> This is probably a dupe of Bug 270867?

Actually, that bug has to do with JavaScript exploiting the onClick() event to
pop up windows. However, both the JavaScript pop-up blocker bypasser AND the
Flash pop-up blocker are now in very active use in Internet advertising nowadays.

For example, visit this site with Flash installed:
http://www.signonsandiego.com/news/world/20050215-1749-kyotoprotocol.html
...BOOM! A pop-up, generated by this nasty automatically-generated Flash file:
http://cdn.fastclick.net/fastclick.net/ffp.swf

Notice its name, "ffp", meaning "F"ire"f"ox "P"opup. They know about this bug,
and it's only a matter of time before this turns into an epidemic. PLEASE...will
the developers look at this? The newest version of Internet Explorer blocks
these pop-ups!
SURPRISE! It's happened again...

http://abcnews.go.com/Politics/wireStory?id=505718
(you might have to erase all your cookies for it to happen, but it will happen).
I'm not sure if this is the same problem, but
http://thesaurus.reference.com/search?q=fickle has similar behavior.
I was unable to replicate this bug.  I created a brand new profile, so that none
of my modifications to the popup settings would affect it in any way, ensured
that all cookies were cleared each time and visted each URL provided within this
bug, yet not one of them successfully popped up a new window.  Some of them
tried but Firefox displayed the popup blocker info bar and stopped them.
Well, I was finally able to get the popup to work (I still don't know why it
didn't before), but I've also found a workaround for it.

1. Go to about:config
2. Set browser.tabs.showSingleWindowModePrefs to true
3. Go to Tools > Options...
4. Select the Advanced tab
5. Check "Force links that open new windows to open in:"
6. Check "the same tab/window as the link"

That also explains why my normal profile doesn't get popups either, because I
have that set to stop the annoying target attribute opening new windows.
(In reply to comment #4)
> 
> For example, visit this site with Flash installed:
> http://www.signonsandiego.com/news/world/20050215-1749-kyotoprotocol.html
> ...BOOM! A pop-up, generated by this nasty automatically-generated Flash file:
> http://cdn.fastclick.net/fastclick.net/ffp.swf
> 
> Notice its name, "ffp", meaning "F"ire"f"ox "P"opup. They know about this bug,
> and it's only a matter of time before this turns into an epidemic. 

Flash popups are Bug 176079, see the workaround there or here: 
http://www.mail-archive.com/mozilla-security@mozilla.org/msg02383.html.


The original problem is WFM for this report on Trunk, but I can confirm it for
Firefox 1.0 (branch).

The site uses this script http://www.entensity.net/crap/ad.js for the popunder,
which uses
http://www.paypopup.com/popup.php?id=theshane&pop=enter&t=5&subid=6552&blk=1 to
show it.

Marking WFM since the popup is blocked with trunk builds.
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → WORKSFORME
Version: unspecified → 1.0 Branch
(In reply to comment #9)
> The site uses this script http://www.entensity.net/crap/ad.js for the popunder,
> which uses
> http://www.paypopup.com/popup.php?id=theshane&pop=enter&t=5&subid=6552&blk=1 to
> show it.
That script reveals that they use onClick handler for Firefox to circumvent the
popup blocker.

So this is related to Bug 263777.
Here is a possible workaround/fix that may be a good idea to include in a future
update by default:

http://artsandarses.typepad.com/weblog/2005/04/websites_subver_1.html

It involves an integer value setting in about:config for
privacy.popups.disable_from_plugins.

Thanks
You need to log in before you can comment on or make changes to this bug.