Mozilla Foundation Security Advisory 2007-30

onUnload Tailgating

Announced
October 18, 2007
Reporter
Michal Zalewski
Impact
Low
Products
Firefox, SeaMonkey
Fixed in
  • Firefox 2.0.0.8
  • SeaMonkey 1.1.5

Description

Michal Zalewski demonstrated that onUnload event handlers had access to the address of the new page about to be loaded, even if the navigation was triggered from outside the page content such as by using a bookmark, pressing the back button, or typing an address into the location bar. If the bookmark contained sensitive information in the URL the attacking page might be able to take advantage of it. An attacking page would also be able to redirect the user, perhaps to a phishing page that looked like the site the user thought they were about to visit.

References