Closed Bug 313060 Opened 19 years ago Closed 19 years ago

JS seems to do bad things with toolbar; JS in one tab is active for all tabs in one window (from a phishing-site)

Categories

(Firefox :: Security, defect)

PowerPC
macOS
defect
Not set
major

Tracking

()

VERIFIED DUPLICATE of bug 124750

People

(Reporter: bugzilla, Unassigned)

References

()

Details

User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.9a1) Gecko/20051017 Firefox/1.6a1 Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.9a1) Gecko/20051017 Firefox/1.6a1 Found this site via a new phishing mail. I use to open those sides to see their progress and just to be informed what's going on. Having MacOS X makes this not-so-risky, so I don't really care about new virus and worms. The link above is a copy of this site, tar'ed and put on my server - I guess the origin will be closed soon.. I only altered one page with a warning. I found several things strange: 1. A JS seems to force the focus, so you cannot mark the URL or try to copy it 2. closing the tab reopens the tab (IE is known to be good at this..) 3. switching to another tab with a different side shown doesn't change the forced focus from 1. - a "cross-tab JS"? 4. switching to another tab and "close all other tabs" still reopens the site in a tab (I have open tabs in background enabled) 5. closing the window works. Other opened windows are not affected. Reproducible: Always Steps to Reproduce: 1.Open the index.html in the tar 2.Open any other side as new tab in the same window and try to close all other tabs 3.Try to mark/copy the URL in any tab in the window Actual Results: Site reopens upon closing, the JS(?) is active for all other tabs in the same window Expected Results: URL should be markable esp. in other tabs; closing all other tabs should not reopen the tab though this might be normal; a JS from one tab should not affect other tabs --> tabs are handled different than windows regarding JS? I did not look into the code of this site - SO BE CAREFUL! Opening the site on a Windows-machine failed due to a virus warning (PHISH/CitiBkfraud.R), the bug is reproducable with Seamonkey@Linux. I'm not a coder, just a dumb surfer from Mosaic till now. I don't know, if it is normal that a JS can affect other opened tabs - but this could lead IMHO to bad security risks if a JS can interact with other opened tabs - a tab should act like another window. I don't know better, but for my little knowledge this is major bug regarding tabs - so I marked it major. Correct me if I'm wrong :)
I extracted http://www.mein-zeugs.de/ufd/Phishing-Seite.tbz using "tar -xjvf Phishing-Seite.tbz". >1. A JS seems to force the focus, so you cannot mark the URL or try to copy it Bug 125282, "JS shouldn't steal focus when in URL bar". >2. closing the tab reopens the tab WFM. I'm using Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8b5) Gecko/20051019 Firefox/1.5. Can you elaborate as to how you're closing the tab? Do you have pop-up blocking enabled? >3. switching to another tab with a different side shown doesn't change the >forced focus from 1. - a "cross-tab JS"? Bug 310825, "window.focus() in a background tab can steal focus from foreground tab".
Tabs stealing focus is ringing bells, any of you guys know if this is a dupe? There's original bug 124750, of course, and this feels a lot like bug 299677--but that one was fixed a couple months back. bug 307867 is distantly related and also fixed, did it cause regressions?
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking1.8rc1?
Flags: blocking-aviary1.0.8?
Whiteboard: [sg:low?]
The focus-stealing-from-other-tabs is bug 310825, as verified by skimming X2B0CB84.htm and testing in a build with a fix for that bug. There's also bug 125282. The only remaining problem is "2. closing the tab reopens the tab", which I can't reproduce.
If I have eg. www.apple.com in a tab in front and the other particular site in another tab, it reopens if I right-click "close all other tabs" and is also reopened (sometimes twice) if I close the tab if it is in front (close with command-w and close-box - dosen't matter). Only closing the windows with this side gets rid of it. Block popup windows is enabled. The focus-JS is active in all tabs in that windows, no matter which tab is in front. Bug 124750 and 299677 sound like it, though it is not resolved then. I have no clue about JS, so I won't look into that code to see if it is the same function. :)
Hermann, you're using a nightly that's two days old, and bug 310825 was fixed for yesterday's nightly. Upgrade that that problem should be fixed :)
ah yes, the worst bit is bug 310825. I thought the fix was in yesterday's build and was still able to reproduce the bug -- my bad, today's branch build doesn't have the problem. I guess the tab re-opening would be worse except neither Jesse nor I can reproduce it. Have any tab-related extensions installed?
Group: security
restoring the security flag in case we can track down the tab reopening thing. I initially cleared it because I was closing this as a dupe of bug 310825 (but I think I'll wait a bit on that)
Group: security
OK.. will install the newest built - wonder why it's 2 days old anyway.. guess I didn't see the restart windows behind all the others.. ^^ I have nothing special installed - DOM Inspector 1.9a1, Reporter 1.9a1, Talkback 1.6a1 and ChatZilla 0.9.68.5.1 - no extension regarding tabs, somehow vanilla Nightly except ChatZilla.
CC list accessible: false
Not accessible to reporter
CC list accessible: true
Accessible to reporter
OK.. updated and the focus-problem is away. Regarding the not-closing: I made a little mistake. The original site has this problem, not my archive - no idea why. I didn't wanted to post the URL, but now I have to: http://210.95.42.150/rpm/ Hope it will stay long enough..
I still can't reproduce the not-closing bug. I tried using Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.9a1) Gecko/20051018 Firefox/1.6a1 and going to http://210.95.42.150/rpm/.
No matter how I try to close - it reopens as long as I don't close the window. If I try to close when another site is in front (by close all other tabs), it reopens and also switches to the reopened site.
Well.. the site gone down as expected and my archived pages don't create the not-closing-tab-problem - no idea why. The focus bug is fixed again in current built, so I tend to close the bug as a duplicate. I'll leave the tar on my server just in case someone wants to investigate anything regarding the JS-bug. Therefor I mark it as reborn duplicate of bug 124750, the oldest focus bug report I found. Hope that this bug keeps closed, perhaps someone should write a nice comment into the source to prevent reappearing again.. I will look for further phishing mails like that - they address german banks, so - as a postmaster - I think I will see this site somewhere again.. ^^ Next time I will try to completely sync the pages to find the tab-not-closing-bug again. Thanx for your help anyway :) *** This bug has been marked as a duplicate of 124750 ***
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
Group: security
Status: RESOLVED → VERIFIED
Flags: blocking1.8rc1?
Flags: blocking-aviary1.0.8?
Whiteboard: [sg:low?]
(In reply to comment #12) > - as a postmaster - I think I will see this site somewhere again.. ^^ Next time > I will try to completely sync the pages to find the tab-not-closing-bug again. I noticed that the site used document.write to add links and other content, mostly relative to the server. maybe there was a reference that didn't get saved, and hard to see how links "/style/somefile.css" would work on a local file system even if the document were saved as "web page complete". Watch out for that kind of thing.
You need to log in before you can comment on or make changes to this bug.