Mozilla Foundation Security Advisory 2006-61

Frame spoofing using document.open()

Announced

September 14, 2006

Reporter

shutdown

Impact

Low

Products

Firefox, SeaMonkey

Fixed in

Firefox 1.5.0.7
SeaMonkey 1.0.5

Description

shutdown demonstrated a way to inject content into a sub-frame of another site using targetWindow.frames[n].document.open(), making the attackers content look like it was part of the victim site. Similar in effect to MFSA 2005-51.

Workaround

The victim site must first be opened in a new window (or tab) by the malicious site for this flaw to work. Do not enter a password or other sensitive information into a window "helpfully" opened by another site, always use the File menu option to open a trusted new window to which no other site has a reference.

References

https://bugzilla.mozilla.org/show_bug.cgi?id=343168
CVE-2006-4568

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Firefox Relay

MDN Plus

Fakespot

Mozilla Manifesto

Mozilla Foundation

Leadership

Get involved

Careers

Mozilla Blog

Impact

Firefox Developer Edition

MDN Web Docs

Mozilla Innovation Projects

Common Voice