559598 - malicious javascript prevents leaving the page using onbeforeunload and other tricks

Status: RESOLVED DUPLICATE of bug 560767

(Firefox :: Security, defect)

Description

[mike]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3

This website is running some malicious javascript to prevent the window from being closed properly.  The malicious javascript is not obfuscated and i believe it is located here: http://socialfreebies.com/functions.js

There seems to be a network of websites running this malicious code here is another page:
http://www.grantaladdinwish.com/hv1/MjAxMDA0MTUwLTI0LjExOS4xODEuMTIy/index.php?web_id=CD1&pt_id=d58dfa33d711c6e3376dcc4b63656478&&web_id=e43PuzIQExitPopPCExitPop&orig=CD43
http://www.grantaladdinwish.com/hv1/MjAxMDA0MTUwLTI0LjExOS4xODEuMTIy/index.php?web_id=CD1&pt_id=d58dfa33d711c6e3376dcc4b63656478&&web_id=e43PuzIQExitPopPCExitPop&orig=CD43

Reproducible: Always

Steps to Reproduce:
1.Go to one of the links provided
2.Try can close the tab. 
Actual Results:  
You will be taken for a wild ride. 

Expected Results:  
The red X would close the tab. 

no script rocks,  but i shouldn't need it.  I thought this javascript attack died out a decade ago.

Comment 1

[mike]

Thanks for making Firefox awesome!

--Michael Brooks

Comment 2

[Jesse Ruderman]

Can you be more specific with your "Actual results"?  I just get a single dialog from Firefox confirming that I want to close the page.  If I click OK in that dialog, the tab goes away entirely.

Comment 3

[mike]

Try hitting "Cancel"  Or the "X" to close the window.  If you really think this is acceptable behavior then I'm going to use no-script for the rest of my life.

Comment 4

[Carlos Alén Silva]

Clicking [X] on the tab, then the 2 following dialog boxes and then [X] on the tab again works here on Fx 3.6.4. Annoying? Yes. Wild ride? No.

Comment 5

[mike]

Actually it looks like their redirect system has been modified a bit.  This could be used to redirect indefinitely (as long as you hit X or cancel),  and it was doing just that (Until I killed firefox :). 

I know an exploit when I see it,  because I write a lot of them (http://milw0rm.com/author/677)

Comment 6

[mike]

As an added note,  Chrome is unaffected by this exploit.

Comment 7

[Jesse Ruderman]

(In reply to comment #3)
> Try hitting "Cancel"  Or the "X" to close the window.  If you really think this
> is acceptable behavior then I'm going to use no-script for the rest of my life.

An onbeforeunload dialog gives you a choice between leaving the page and staying on the page.  The button labels could certainly use improvement (bug 246365).  As you point out, many users' reaction upon seeing an unexpected dialog from a malicious site is to hit Cancel, which isn't the "correct" button to press if you want to leave.

I'm not sure we want to change the behavior of X/Esc.  That would hurt on sites like Gmail that use onbeforeunload for legitimate purposes.

Comment 8

[Jesse Ruderman]

This site's onbeforeunload event handler does two things.  It redirects to another page *and* instructs the browser to show an onbeforeunload dialog.  We should probably disallow the redirect (cf bug 391834).

Also I'd love to turn it into a lightbox, so a second click on the tab-bar close button can close it.

Comment 9

[Jesse Ruderman]

We should probably make Esc do nothing and hide the X (close-dialog) button.

Comment 10

[Jesse Ruderman]

I filed bug 560767 for disallowing redirects.  The bad button labels (bug 246365) are the biggest problem, unless I'm missing something.

Comment 11

[Biju]

As Jesse has created bug 560767 for the only remaining item.
I am marking this duplicate of bug 560767
Also please notice fix for bug 61098,
now user can suppress alert/confirm/prompt