Closed Bug 313060 Opened 19 years ago Closed 19 years ago

JS seems to do bad things with toolbar; JS in one tab is active for all tabs in one window (from a phishing-site)

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Platform:
PowerPC
macOS
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
VERIFIED DUPLICATE of bug 124750

People

(Reporter: bugzilla, Unassigned)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.9a1) Gecko/20051017 Firefox/1.6a1
Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.9a1) Gecko/20051017 Firefox/1.6a1

Found this site via a new phishing mail. I use to open those sides to see their
progress and just to be informed what's going on. Having MacOS X makes this
not-so-risky, so I don't really care about new virus and worms. The link above
is a copy of this site, tar'ed and put on my server - I guess the origin will be
closed soon.. I only altered one page with a warning.
I found several things strange:
1. A JS seems to force the focus, so you cannot mark the URL or try to copy it
2. closing the tab reopens the tab (IE is known to be good at this..)
3. switching to another tab with a different side shown doesn't change the
forced focus from 1.  - a "cross-tab JS"?
4. switching to another tab and "close all other tabs" still reopens the site in
a tab (I have open tabs in background enabled)
5. closing the window works.
Other opened windows are not affected.

Reproducible: Always

Steps to Reproduce:
1.Open the index.html in the tar
2.Open any other side as new tab in the same window and try to close all other tabs
3.Try to mark/copy the URL in any tab in the window

Actual Results:  
Site reopens upon closing, the JS(?) is active for all other tabs in the same window

Expected Results:  
URL should be markable esp. in other tabs; closing all other tabs should not
reopen the tab though this might be normal; a JS from one tab should not affect
other tabs --> tabs are handled different than windows regarding JS?

I did not look into the code of this site - SO BE CAREFUL! Opening the site on a
Windows-machine failed due to a virus warning (PHISH/CitiBkfraud.R), the bug is
reproducable with Seamonkey@Linux. I'm not a coder, just a dumb surfer from
Mosaic till now. I don't know, if it is normal that a JS can affect other opened
tabs - but this could lead IMHO to bad security risks if a JS can interact with
other opened tabs - a tab should act like another window. I don't know better,
but for my little knowledge this is major bug regarding tabs - so I marked it
major. Correct me if I'm wrong :)
I extracted http://www.mein-zeugs.de/ufd/Phishing-Seite.tbz using "tar -xjvf
Phishing-Seite.tbz".

>1. A JS seems to force the focus, so you cannot mark the URL or try to copy it

Bug 125282, "JS shouldn't steal focus when in URL bar".

>2. closing the tab reopens the tab

WFM.  I'm using Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8b5)
Gecko/20051019 Firefox/1.5.  Can you elaborate as to how you're closing the tab?
Do you have pop-up blocking enabled?

>3. switching to another tab with a different side shown doesn't change the
>forced focus from 1.  - a "cross-tab JS"?

Bug 310825, "window.focus() in a background tab can steal focus from foreground
tab".
Tabs stealing focus is ringing bells, any of you guys know if this is a dupe?
There's original bug 124750, of course, and this feels a lot like bug
299677--but that one was fixed a couple months back. bug 307867 is distantly
related and also fixed, did it cause regressions?
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking1.8rc1?
Flags: blocking-aviary1.0.8?
Whiteboard: [sg:low?]
The focus-stealing-from-other-tabs is bug 310825, as verified by skimming
X2B0CB84.htm and testing in a build with a fix for that bug.  There's also bug
125282.

The only remaining problem is "2. closing the tab reopens the tab", which I
can't reproduce.
If I have eg. www.apple.com in a tab in front and the other particular site in
another tab, it reopens if I right-click "close all other tabs" and is also
reopened (sometimes twice) if I close the tab if it is in front (close with
command-w and close-box - dosen't matter). Only closing the windows with this
side gets rid of it. Block popup windows is enabled.
The focus-JS is active in all tabs in that windows, no matter which tab is in
front. Bug 124750 and 299677 sound like it, though it is not resolved then. I
have no clue about JS, so I won't look into that code to see if it is the same
function. :)
Hermann, you're using a nightly that's two days old, and bug 310825 was fixed
for yesterday's nightly.  Upgrade that that problem should be fixed :)
ah yes, the worst bit is bug 310825. I thought the fix was in yesterday's build
and was still able to reproduce the bug -- my bad, today's branch build doesn't
have the problem.

I guess the tab re-opening would be worse except neither Jesse nor I can
reproduce it. Have any tab-related extensions installed?
Group: security
restoring the security flag in case we can track down the tab reopening thing. I
initially cleared it because I was closing this as a dupe of bug 310825 (but I
think I'll wait a bit on that)
Group: security
OK.. will install the newest built - wonder why it's 2 days old anyway.. guess I
didn't see the restart windows behind all the others.. ^^

I have nothing special installed - DOM Inspector 1.9a1, Reporter 1.9a1, Talkback
1.6a1 and ChatZilla 0.9.68.5.1 - no extension regarding tabs, somehow vanilla
Nightly except ChatZilla.
CC list accessible: false
Not accessible to reporter
CC list accessible: true
Accessible to reporter
OK.. updated and the focus-problem is away.
Regarding the not-closing: I made a little mistake. The original site has this
problem, not my archive - no idea why. I didn't wanted to post the URL, but now
I have to:
http://210.95.42.150/rpm/
Hope it will stay long enough..
I still can't reproduce the not-closing bug.  I tried using Mozilla/5.0
(Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.9a1) Gecko/20051018
Firefox/1.6a1 and going to http://210.95.42.150/rpm/.
No matter how I try to close - it reopens as long as I don't close the window.
If I try to close when another site is in front (by close all other tabs), it
reopens and also switches to the reopened site.
Well.. the site gone down as expected and my archived pages don't create the
not-closing-tab-problem - no idea why. The focus bug is fixed again in current
built, so I tend to close the bug as a duplicate. I'll leave the tar on my
server just in case someone wants to investigate anything regarding the JS-bug.
Therefor I mark it as reborn duplicate of bug 124750, the oldest focus bug
report I found. Hope that this bug keeps closed, perhaps someone should write a
nice comment into the source to prevent reappearing again..
I will look for further phishing mails like that - they address german banks, so
- as a postmaster - I think I will see this site somewhere again.. ^^ Next time
I will try to completely sync the pages to find the tab-not-closing-bug again.
Thanx for your help anyway :)

*** This bug has been marked as a duplicate of 124750 ***
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
Group: security
Status: RESOLVED → VERIFIED
Flags: blocking1.8rc1?
Flags: blocking-aviary1.0.8?
Whiteboard: [sg:low?]
(In reply to comment #12)
> - as a postmaster - I think I will see this site somewhere again.. ^^ Next time
> I will try to completely sync the pages to find the tab-not-closing-bug again.

I noticed that the site used document.write to add links and other content,
mostly relative to the server. maybe there was a reference that didn't get
saved, and hard to see how links "/style/somefile.css" would work on a local
file system even if the document were saved as "web page complete". Watch out
for that kind of thing.
You need to log in before you can comment on or make changes to this bug.