Firefox 10.0.X : Navigation away from a page with multiple active <select> dropdown menu can be used for Spoofing And ClickJacking with XPI using location.href and geolocalisation

RESOLVED DUPLICATE of bug 726264

Status

()

Firefox
Untriaged
RESOLVED DUPLICATE of bug 726264
6 years ago
a year ago

People

(Reporter: Jordi Chancel, Unassigned)

Tracking

10 Branch
x86_64
Windows 7
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:dupe 726264], URL)

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
Created attachment 599561 [details]
TESTCASE2.0-document.location geolocalisation.zip

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0.2) Gecko/20100101 Firefox/10.0.2
Build ID: 20120215223356

Steps to reproduce:

Like bug 575294 , Firefox 10.0.1 shows the dropdown menu for <select> elements as an always-on-top chromeless window. It also allows arbitrary HTML content to be rendered in the <option> elements within the <select>.
with location.href and geolocalisation we can cover a JAVA Applet or a XPI for evil.


Actual results:

This bug demonstrates than an attacker can cover a JAVA Applet or a XPI for evil.

I think this issue is critical.
(Reporter)

Updated

6 years ago
Is the underlying issue here any different from that in bug 726264?
(Reporter)

Comment 2

6 years ago
Al Billings want that i report this because it uses other javascript function (location.href / not window.open)!
(In reply to Jordi Chancel from comment #2)
> Al Billings want that i report this because it uses other javascript
> function (location.href / not window.open)!

Okay :) I'll Cc the developers from the other bug so they can check if there's a different problem here or just another manifestation of the same problem (I cannot really judge that).
Status: UNCONFIRMED → NEW
Ever confirmed: true
The method used to trigger the navigation is irrelevant to the floating select issue.
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → DUPLICATE
Whiteboard: [sg:dupe 726264]
Duplicate of bug: 726264
(Reporter)

Updated

2 years ago
Alias: -CVE-2012-3984-
(Reporter)

Updated

2 years ago
Alias: -CVE-2012-3984-

Updated

2 years ago
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.