84754 - Malicious javascript can be used to hide a window and pop up ads, etc.

Status: RESOLVED INACTIVE

(Core :: DOM: Core & HTML, enhancement, P5)

Description

[Steve Holland]

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux 2.2.16-3 i686; en-US; rv:0.9.1)
Gecko/20010607
BuildID:    2001060713

There are web pages now that try to bring up a hidden window with Javascript.
The hidden window is then used as a secret source for popping up ads long after
you stop viewing the offending web page. 
Worse, the ad popups may recreate the hidden window if you try to close it. 

Reproducible: Always
Steps to Reproduce:
1.Go to www.weimer.com (one of many sites run by netidentity.com)
2.After the redirect, move on to another site. 
3.Click a few times on the new site. 
4.Be ready to shut down your browser to get rid of the ads. 

Actual Results:  After a click or two on the new site, you'll start seeing ad
after ad. The ads are generated by a window that attempts to hide itself.
Selecting the window causes it to move out of the way. On Linux with icewm, the
window shows up (possibly buried) as ~75x75 in the lower
right hand cornder of the screen and shows up in the Gnome pager as "- Mozilla..."


Expected Results:  Mozilla should inhibit the JavaScript from trying to hide the
window off screen or make it too small to see or hidden under other windows.
(Perhaps pop up a warning if the javascript tries to do this?)
Maybe javascript windows should have a yellow bar at the bottom
"WARNING: JavaScript window" like Java windows have. 


See also bug#84749 for a security bug related to this obnoxious "web bug"

function HideMe(test){

        if (test == 1) return;

        var xval;
        var yval;

        if(nameCode == 1){
                // IE
                xval = self.screenLeft;
                yval = self.screenTop;
        }else{
                // NN
                xval = self.screenX;
                yval = self.screenY;
        }

        if (xval < 10000 || xval == null){
                self.blur();
                self.moveTo(10000,10000);
                self.resizeTo(1,1);
                self.blur();
        }
}

<body onFocus="HideMe();" BGCOLOR="#C0C0C0" onUnload="Unsleep();">

Comment 1

[Matthew Cline]

With Linux build 2001060811, Linux 2.4.5 i686, RedHat 6.1, XFree86 4.1.0,
I wasn't able to reproduce with the given web site, or with the JavaScript
code.

Comment 2

[Steve Holland]

 - Javascript must be enabled (obviously).
 - Certain ad-blocking proxies might block the ad servers, so that could be why
you're not seeing it. 
 - The ads don't start popping up until you _leave_ the offending site and then
start clicking on links. 
 - The tiny window it uses to pop up the ads may or may not be easily visible
depending on your settings. If you've got a huge monitor it may just appear to
be a little tiny easy to overlook box in the corner of the screen. 
This was identified on RH6.2 with gnome and IceWM

Comment 3

[Asa Dotzler [:asa]]

->DOM

Comment 4

[Matthew Cline]

Confirmed; I've seen this when visiting some other site, but the
JS code used it the same as was reported.  (And it's *patented* to.
*&$%*#&*$# spamming bastards!)  Doesn't show quite the same behavior
with KDE 2.1; the window shrinks to a box a couple of centimeters on
a side and moves to the lower right hand corner, and still shows up on
the window/task bar, but it looks like IceWM (and problably Windows as
well) does just what the vermin were aiming for; a pox upon their house,
and I fart in their general direction!

Comment 5

[Johnny Stenback (:jst)]

This could be fixed fairly easily by not allowing windows to be opened from the
onunload event handler, but this won't be fixed right now unless someone submits
a fix.

Comment 6

[Jesse Ruderman]

Disabling window.open while the user is trying to close a window is bug 33448.

Comment 7

[Steve Holland]

While disabling popups in onUnload() would certainly help, it doesn't strike the
heart of the problem, which is the creation of a (somewhat) hidden window that
can pop up other windows at a later time. 

Perhaps "pop-up windows" (defined as windows without the usual set of widgets at
the top) should be tied to a parent "browser window" (defined as a window with
the usual set of widgets on the top) such that if the browser window is closed,
the pop-ups will close too. Having the set of widgets, of course, increases the
minimum window size, making the hidden window less hidden. 

Comment 8

[Ben Bucksch (:BenB)]

> The ads don't start popping up until you _leave_ the offending site and then
> start clicking on links. 

Does it really happen, if you click on links on another site, or is that just a
coincidence?

If the former, this is already a security problem in itself, because links
should not be observable cross-site.

A simple fix for this would be to force a certain minimum size and to force
windows to be on screen, right? (There might already be other bugs about that.)

Considering the abuse, I think this is a bug, not an enhancement.

Comment 9

[Johnny Stenback (:jst)]

Mass-reassigning bugs to dom_bugs@netscape.com

Comment 10

[Scott Gifford]

With the popup blocker and the recent checkin for bug 118717, is this fixed? 
The original example doesn't work for me, with or without with the popup blocker
enabled.

Comment 11

[Firefox Bug Husbandry Bot]

https://bugzilla.mozilla.org/show_bug.cgi?id=1472046

Move all DOM bugs that haven’t been updated in more than 3 years and has no one currently assigned to P5.

If you have questions, please contact :mdaly.