Closed Bug 410735 Opened 17 years ago Closed 17 years ago

Malicious JS confirmation/alert box in infinite loop will render Firefox unusable, must be killed, and session can't be restored easily

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 61098

People

(Reporter: hmpxrii, Unassigned)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b3pre) Gecko/2008010304 Minefield/3.0b3pre
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b3pre) Gecko/2008010304 Minefield/3.0b3pre

Any page with a script that displays a confirmation or alert box in an infinite loop, will make it impossible for the user to navigate to another page or to close the window, since the confirmation/alert box will always steal focus and never go away. It is also impossible to switch to other tabs in the same window.

This is especially problematic if you have many tabs open, since the session can't easily be restored without loading the same page again. A malicious page could also keep loading offensive material and/or open pop-up windows without allowing the user to stop the script by closing the tab.


Reproducible: Always

Steps to Reproduce:
1. Make a page with the following code:

<html>
<body>
<script>
while(true) alert("You will now have to kill your browser.");
</script>
</body>
</html>

2. Navigate to this page. You will now not be able to close the current tab or window, or access any other tabs in the current window.
Actual Results:  
I was unable to close the window or navigate to any other page.

Expected Results:  
I expect to be able to close any page that tries to run annoying scripts (or any other page, for that matter).

The problem depends slightly on what OS/window manager you are using. For example, using twm on Linux, it is possible to resolve it by closing the current tab with the keyboard shortcut (ctrl-W), but not by using the mouse. Using Gnome, Windows or Mac OS, the application must be killed.

This should be resolved by replacing the confirmation/alert boxes with a widget that does not steal focus from the main application.
Dup of bug 61098 or bug 59314.
Status: UNCONFIRMED → RESOLVED
Closed: 17 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.