Mozilla Foundation Security Advisory 2016-28

Addressbar spoofing though history navigation and Location protocol property

Announced

March 8, 2016

Reporter

Tsubasa Iinuma

Impact

Moderate

Products

Firefox, Firefox ESR

Fixed in

Firefox 45
Firefox ESR 38.7

Description

Security researcher Tsubasa Iinuma reported a mechanism where the displayed addressbar can be spoofed to users. This issue involves using history navigation in concert with the Location protocol property. After navigating from a malicious page to another, if the user navigates back to the initial page, the displayed URL will not reflect the reloaded page. This could be used to trick users into potentially treating the page as a different and trusted site.

References

address bar spoofing using location.protocol and history.back (CVE-2016-1965)

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Firefox Relay

MDN Plus

Fakespot

Mozilla Manifesto

Mozilla Foundation

Leadership

Get involved

Careers

Mozilla Blog

Impact

Firefox Developer Edition

MDN Web Docs

Mozilla Innovation Projects

Common Voice

Mozilla Foundation Security Advisory 2016-28

Addressbar spoofing though history navigation and Location protocol property

Description

References