Built-in pop-up blocker causes infinite recursion on BofA site

NEW
Unassigned

Status

()

Firefox
General
--
critical
10 years ago
7 years ago

People

(Reporter: jcblake, Unassigned)

Tracking

({footprint})

Trunk
All
Windows XP
footprint
Points:
---
Bug Flags:
blocking-firefox3.5 -

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [product/component?], URL)

(Reporter)

Description

10 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0

On the page https://www3.bankofamerica.com/surveys/survey_popup_invoker.cfm?surveynumber=25&blurwindow=

This pop-up loader shows up from time to time after logging into BofA site. When this URL is loaded, it invokes a script that tries to load a pop-up. It seems that if Firefox's pop-up blocker is enabled, the script tries (and fails) to load the pop-up over and over again. Over time, this slowly eats up all available memory unless you navigate away from the page.


Reproducible: Always

Steps to Reproduce:
1. Ensure Firefox 3 pop-up blocker is active and bankofamerica.com is not whitelisted.
2. Open https://www3.bankofamerica.com/surveys/survey_popup_invoker.cfm?surveynumber=25&blurwindow=
Actual Results:  
Pop-up counter will count quickly into the thousands and FFx3 memory footprint will slowly grow.

A related side effect is that once the number of pop-ups blocked gets into the tens of thousands, FireFox has to massively increase its memory footprint just to show the menu associated with the pop-up blocker icon in the status bar.

Expected Results:  
FFx3 should recognize the recursive script and stop running it after the browser reaches a reasonable threshold of pop-up blocks (e.g. 50 or 100?)

Memory also grows when browsing to this URL in IE7 when pop-ups are blocked, but at a lower rate. Interestingly, IE exhibits higher sustained CPU utilization under the above test scenario.
(Reporter)

Updated

10 years ago
Severity: major → critical
Version: unspecified → 3.0 Branch
Confirmed on:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0

BTW I see a huge increase in CPU but not so much in memory, definitely agree though that there should be a cap.
Its not really just a recursive script though, its infinite invocations of a relatively small script.  The only way to really block this is to disable JS completely on the page (or I suppose just the method in question, if its always the same) if we trigger some sort of abuse threshold.
(Reporter)

Comment 3

10 years ago
Original URL seems to be intermittent, this one still works (for the moment):

https://www2.bankofamerica.com/surveys/survey_popup_invoker.cfm?surveynumber=25&blurwindow
(In reply to comment #2)
> Its not really just a recursive script though, its infinite invocations of a
> relatively small script.  The only way to really block this is to disable JS
> completely on the page (or I suppose just the method in question, if its always
> the same) if we trigger some sort of abuse threshold.
> 

How about just denying any URL for any given page once, and further invocations of that same URL that don't pass (i.e. that don't come from a click, etc.) should just be entirely ignored?
(Reporter)

Comment 5

10 years ago
Validated still a problem on trunk.
Version: 3.0 Branch → Trunk

Comment 6

10 years ago
or only remember the most recent 5 or so popup attempts (per page).
I confirm also the footprint. Sometimes the memory grows of some Mb.
To which product/component this bug must be moved?

(In reply to comment #2)
> Its not really just a recursive script though, its infinite invocations of a
> relatively small script.  The only way to really block this is to disable JS
> completely on the page

It's an idea. If popups are more than X (for example 30), javascript is disabled. This could prevent also an overflow of not-blocked popups.

There's only a problem: the mini-script how is called? If there's another script that calls the mini-script indefinitely, I think Fx should block it. But the page could have a meta refresh tag pointed to itself.

How can we see the script code of that site?
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: footprint, qawanted
Whiteboard: [product/component?]
(Reporter)

Updated

9 years ago
Flags: blocking-firefox3.1?
Hardware: PC → All
This needs a better component; whatever the solution it's going to be some sort of annoyance detection and prevention.
Flags: blocking-firefox3.1? → blocking-firefox3.1-
Lucas, what was your qawanted request here. please add qawanted back with a better request description.

Also does this bug still exist in latest version of Fx?
Keywords: qawanted
You need to log in before you can comment on or make changes to this bug.