Closed Bug 282382 Opened 20 years ago Closed 20 years ago

javascript pop up / under bypasses protection with doc.write

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Platform:
x86
Windows Server 2003
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 282931

People

(Reporter: saiyine, Assigned: bugzilla)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.2; es-ES; rv:1.7.5) Gecko/20041108 Firefox/1.0 (Saiyine)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.2; es-ES; rv:1.7.5) Gecko/20041108 Firefox/1.0 (Saiyine)

This javascript trick allows pop ups to open bypassing the blocking:

doc.write('<scr'+'ipt language="javascript" src="http://media.fastclick.net');
doc.write('/w/pop.cgi?sid=6181&m=2&v=1.6&u='+url+'&c='+bust+'"></scr'+'ipt>');

Reproducible: Always

Steps to Reproduce:
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8b) Gecko/20050216
Firefox/1.0+


It is possible that this defect has already been fixed. Would you be able
to check in a nightly?
(In reply to comment #1)
> Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8b) Gecko/20050216
> Firefox/1.0+
> 
> 
> It is possible that this defect has already been fixed. Would you be able
> to check in a nightly?

It is also possible that it is still in, as I have seen a pop-under with
the URL 'http://205.180.85.40/w/pc.cgi?mid=60007&sid=6181' after going
to the URL specified and several others.
can confirm it for windows xp
appeared on tvtome.com

code of page:

<!-- FASTCLICK.COM POP-UNDER CODE v1.8 for tvtome.com (24 hour) -->
<script language="javascript"><!--                                 
var dc=document; var date_ob=new Date();
dc.cookie='h2=o; path=/;';var bust=date_ob.getSeconds();
if(dc.cookie.indexOf('e=llo') <= 0 && dc.cookie.indexOf('2=o') > 0){
dc.write('<scr'+'ipt language="javascript" src="http://media.fastclick.net');
dc.write('/w/pop.cgi?sid=878&m=2&tp=2&v=1.8&c='+bust+'"></scr'+'ipt>');
date_ob.setTime(date_ob.getTime()+86400000);
dc.cookie='he=llo; path=/; expires='+ date_ob.toGMTString();} // -->
</script>                                                          
<!-- FASTCLICK.COM POP-UNDER CODE v1.8 for tvtome.com -->
(In reply to comment #4)
> code of page:
> 
> [ snip ]                                                          
> <!-- FASTCLICK.COM POP-UNDER CODE v1.8 for tvtome.com -->

See also Bug 253831 comment 169. The first time I saw this exploit
was in this report, but www.drudgereport.com seems to have priority.

If there is a bug open concerning www.drudgereport.com, then this is
a Dup of it; otherwise it is just a dependency of Bug 253831.

Popup blocker blocking is now getting quite a lot of coverage in
non-geek circles, videlicet:

	Why ads don't show up every time a site is visited: A number of
	readers have wondered why these ads don't appear every time they
	visit a particular site. Other readers found that after trying some
	trick, the next time they visited a site the ads didn't appear, thus
	leading them to believe that they'd found a "fix." Note that most of
	these sites use cookies to determine if you've already "seen" their
	pop-up or pop-under ads, so once the ad appears, you will not see it
	again until the next hour/day/week/etc. (whatever time period the
	site or ad provider have chosen). Some users have misinterpreted
	this behavior as a reflection that something they've done has
	"prevented" seeing ads, but the reality is that the site has simply
	fulfilled its hourly/daily/weekly ad quota for those users.

http://www.macfixit.com/article.php?story=20050218022511830


	Popuptraffic is the intelligent way to make your website more 
	profitable.

http://www.popuptraffic.com/


	In shorthand: if you don't view the popup before closing it, or try
	to block it, you'll get blasted with a Full Page Banner Ad. Call it
	Revenge of the Popup.
	
	This is partly testimony to the success of popup blockers. iMedia
	quote the CEO of FBPA Group as saying that "Many sites, both large
	and small, have told us that at least 25 percent of all users have
	some sort of pop-up blocker activated.” Which is impressive. Expect
	the popup war to grind on.

http://loosewire.typepad.com/blog/2004/01/revenge_of_the_.html


	The truth is that Mozilla is currently not a big enough market for
	the companies to worry about. In fact, most current implementations
	of floating DIV ads leave mozilla users alone.
	
	Don't expect this privilege to continue if our little underdog of a
	browser earns any significant market share. 

http://yro.slashdot.org/article.pl?sid=04/04/28/2011234&mode=thread&tid=111&tid=126&tid=158&tid=99


	Fastclick therefore provides an opt-out cookie to block Fastclick ad
	serving cookie placement. Our opt-out system will attempt to erase
	all previous cookies from Fastclick (if any exist). We then place
	one cookie on your computer that will identify your browser as being
	opted out of Fastclick ad serving cookies and pop-under ads. If you
	have other browsers or users on the same computer, you will need to
	opt-out each one. If you erase the opt-out cookie from your computer
	you will need to repeat the process. The opt-out system is in beta.

http://www.fastclick.com/v4/safe_optout.go


	In one example, visitors to the Drudge Report Web site who use the
	Service Pack version of IE or Mozilla.org's Firefox browser with a
	pop-up blocker will nevertheless receive a pop-under ad if they
	click a link on the page.

http://news.com.com/Revenge+of+the+pop-ups/2100-1024_3-5408453.html?tag=st.pop


Unless you think that this report will produce some work on a putative
popup blocker buster blocker, then I suggest that it can be closed.

(In reply to comment #5)
> (In reply to comment #4)
> [ snip ]
> 
> If there is a bug open concerning www.drudgereport.com, then this is
> a Dup of it; otherwise it is just a dependency of Bug 253831.

Bug 265186 "Several links on drudgereport.com have popups that Firefox doesn't
block."

I suspect that http://www.drudgereport.com/ may have changed over time.

Is there any work going on anywhere to fix this? Do we have to do something
to ensure that javascript emitted by doc.write( ) is tainted in a perlish 
sense.
That is because Fastclick.net uses Flash plugins for popups for Firefox. See bug
253831 comment 231.
(In reply to comment #7)
> That is because Fastclick.net uses Flash plugins for popups for Firefox. 

Which of the fusillade of busted pop-up blocker bug reports are duplicates,
and which need fixing, and which of those need help?


*** This bug has been marked as a duplicate of 282931 ***
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
Oh. I should have said: see especially bug 282931 comment 6.
You need to log in before you can comment on or make changes to this bug.