Closed Bug 485842 Opened 13 years ago Closed 2 months ago

Popup blocker fails to block popups which open in the background while firefox browse window is open.


(Core :: DOM: Core & HTML, defect, P5)






(Reporter: the8thbit, Unassigned)


User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/2009032711 Linux Mint/6 (Felicia) Firefox/3.0.8
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/2009032711 Linux Mint/6 (Felicia) Firefox/3.0.8

If one opens a browse window, such as when saving an image or uploading a file, and a popup opens in tab in the main Firefox window, the popup blocker will fail to block the popup, and the popup will be opened in a new tab.

This is a possible security issue, as malicious code could be used to open the file-browser window, or another similar window in the background, before opening a pop-up window in the foreground which executes some action. 


Go to this website: (make sure you have a popup blocker enabled.) 
Go to in a new tab
Click the "Browse..." button under the input field.

NOTE: This will require you to force-close Firefox.

Reproducible: Always

Steps to Reproduce:
1. Go to this website: (make sure you have a popup blocker enabled.) 
2. Go to in a new tab
3. Click the "Browse..." button under the input field.
Actual Results:  
Several pop-ups opened in new tabs, which should have been blocked. Force Quit was required. 

Expected Results:  
Pop-ups should have been blocked.

I'm using adblock+ and tabmix+, which may have had an effect on this bug. I am also using the MonoChrome theme.
Version: unspecified → 3.0 Branch
EDIT: The page I used as an example for the bug has expired.
We don't consider pop-ups a "security" problem. They're definitely an annoyance that we want to stop, but there's nothing malicious a popup can do that an attacker couldn't do in the attacking page in terms of a security exploit.

The link you gave is to a flash object, these might be flash popups, not browser popups. And given the 4chan domain this is probably full of the tricks discussed in the "eviltraps" bug.

If the link you gave is now dead we might have to close this one and just assume for now that it's similar tricks to other bugs we've got on file.
Group: core-security
Component: Security → DOM: Core & HTML
Product: Firefox → Core
QA Contact: firefox → general
Version: 3.0 Branch → unspecified
Here, go here:

begin the test. Firefox will block all popups.

Begin the test again, this time, immediately go to and click on the 'browse...' button. All popups will get through.

While I wasn't sure if this would be considered a security issue, it can crash Firefox, and it causes window focus to be kept on Firefox, making it very hard to close the process.
Severity: critical → major
I am using a 3.5 branch nightly on windows and I tried the test. It failed the final test: User-launched Delayed-method popup allowing = Failed. So these instructions seem to point to some weaknesses in the popup blocker.
Under ubuntu 9.04 and firefox 3.0.10 test will cause a failed test for test 9 - User-launched
Delayed-method popup allowing. This is the same result as in windows. The popup stays open. Unfortunately it is not consistent. Under ubuntu linux some of the other tests will ocasionally report as failed, but there are no popups that do not close except for the final test. So for some reason these tests are reporting a fail when it should be a pass. I think.

Move all DOM bugs that haven't been updated in more than 3 years and has no one currently assigned to P5.

If you have questions, please contact :mdaly.
Priority: -- → P5

Marking this as Resolved > Incomplete since the last real activity on this issue was 13 years ago (and the provided links don't work anymore) and it might not be relevant anymore.
Feel free to re-open it if it's not the case and the issue is still relevant.

Closed: 2 months ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.