Closed Bug 402647 Opened 17 years ago Closed 15 years ago

Possible security problem / javascript dialogs that hide firefox

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 402401

People

(Reporter: notify, Unassigned)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9
Build Identifier: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9

I apologize if this is a dupe. I searched and couldn't find one like this.

I went to the site boards.thenest.com/boards/ShowPost.aspx?PostID=36130606 following a link on google. I was then redirected to http://performanceoptimizer.com/.landing/index.php?4656530f4a0653445b59165866474a6f540b6f500646560a43480b5a5b0a551f5f576d53563c06020c053d050a030d6f0352050c3d5756673a590b695559035f69096d070a520b69595e3d115842560d004355450d0b081e150556

The site hide my entire web browser and showed a single javascript popup; something to the effect of if you know if you're computer is secure. Clicking cancel brings the web browser back.

Subsequent visits wouldn't bring it up, so I'm guessing the advertising attempt is stored in a cookie and only happens once. I realize this is just advertising and simple javascript, but should javascript really be powerful enough to hide the entire web browser? I don't mind the annoying popups when trying to navigate away from the site because that functionality is necessary (e.g. making sure you don't navigate away from an unsaved document) , but the initial one, if you can reproduce it, seems like something that can be fixed / disabled. 

Feel free to mark as invalid. 

Reproducible: Sometimes

Steps to Reproduce:
1.
2.
3.
URL: boards.thenest.com/boards/ShowPost.as...http://boards.thenest.com/boards/Show...
Component: Phishing Protection → Security
QA Contact: phishing.protection → firefox
Group: security
For me, loading the performanceoptimizer URL (with Options > Content > JavaScript > Advanced > "Allow scripts to: move or resize existing windows" checked) causes my browser window to fill the screen; it doesn't cause my browser window to become hidden.  I could imagine a site trying to hide the web browser behind an alert that way, though; see bug 402401 and bug 186708.

> I don't mind the annoying popups when trying to
> navigate away from the site because that functionality is necessary (e.g.
> making sure you don't navigate away from an unsaved document)

We actually do consider it to be a bug that web pages can put up prompts other than the "Are you sure you want to navigate away?" prompt using onunload and friends.  See bug 391834.
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.