608804 - "Reported attack site" with running script behind it.

Status: RESOLVED INVALID

(Toolkit :: Safe Browsing, defect)

Description

[zman900]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12

When hitting this site via a Google search ("http://secure-website.is.com/firefox-updates/") it pops up the "reported attack" page then follows with a looping JavaScript alert message box that you can't get rid of.  When this happens you CANNOT close any tab or the firefox window and are forced to "End Task" it in the windows task manager.

Whether this is a spoofed attack page or not I am not certain (I'm not going to play around too much with this), but, if anything else, the "alert()" blocking the firefox window/tab is a problem.

Reproducible: Always

Steps to Reproduce:
1. Go to web site
2. *Attack* page appears
3. Javascript alert message cycles endlessly (pressing cancel)
4. Both window and tab are uncloseable due to the message box

Actual Results:  
Page was stuck in continuous message box loop, tab and window not closeable.

Expected Results:  
IF it wasn't a spoofed page, it should not have run the javascript.

Spoofed or not, The tab and/or window should be close-able despite the JavaScript alert() message box being there.

Comment 1

[David Dahl :ddahl]

This is not a bug with Firefox, it is merely a page that (if it is an attack site) that has not made it into the google safebrowsing database. You can report that page directly to google: http://www.google.com/safebrowsing/report_badware/

If you think alert in a loop is a bug, you can report it to the JS component in bugzilla

Comment 2

[LafinJack]

I reached the same site, and I got past the loop by accepting one of the dialogs then *not* accepting the download it started.