Mozilla Foundation Security Advisory 2016-21

Displayed page address can be overridden

Announced

March 8, 2016

Reporter

Abdulrahman Alqabandi

Impact

Moderate

Products

Firefox, Firefox ESR

Fixed in

Firefox 45
Firefox ESR 38.7

Description

Security researcher Abdulrahman Alqabandi reported an issue where an attacker can load an arbitrary web page but the addressbar's displayed URL will be blank or filled with page defined content. This can be used to obfuscate which page is currently loaded and allows for an attacker to spoof an existing page without the malicious page's address being displayed correctly.

References

Show about:blank using javascript URI scheme (CVE-2016-1958)

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Firefox Relay

MDN Plus

Fakespot

Mozilla Manifesto

Mozilla Foundation

Leadership

Get involved

Careers

Mozilla Blog

Firefox Developer Edition

MDN Web Docs

Mozilla Innovation Projects

Common Voice

Mozilla Foundation Security Advisory 2016-21

Displayed page address can be overridden

Description

References