Mozilla Foundation Security Advisory 2005-13

Window Injection Spoofing

Announced

February 24, 2005

Reporter

Secunia

Risk

Low

Impact

Low

Products

Firefox, Mozilla Suite

Fixed in

Firefox 1.0.1
Mozilla Suite 1.7.6

Description

A website can inject content into a popup opened by another site if the target name of the popup window is known. An attacker who knows you are going to visit that other site could spoof the contents of the popup.

Open windows can now be targeted by name only by the site whose content is in the window and the site which opened the window if different. Other sites attempting to target the same named window will instead get a new unnamed window.

Workaround

Do not browse trusted sites after browsing untrusted sites

References

http://secunia.com/advisories/13129/
CAN-2004-1156
https://bugzilla.mozilla.org/show_bug.cgi?id=273699

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Firefox Relay

MDN Plus

Fakespot

Mozilla Manifesto

Mozilla Foundation

Leadership

Get involved

Careers

Mozilla Blog

Impact

Firefox Developer Edition

MDN Web Docs

Mozilla Innovation Projects

Common Voice