Mozilla Foundation Security Advisory 2016-28
Addressbar spoofing though history navigation and Location protocol property
- Announced
- March 8, 2016
- Reporter
- Tsubasa Iinuma
- Impact
- Moderate
- Products
- Firefox, Firefox ESR
- Fixed in
-
- Firefox 45
- Firefox ESR 38.7
Description
Security researcher Tsubasa Iinuma reported a mechanism where the displayed addressbar can be spoofed to users. This issue involves using history navigation in concert with the Location protocol property. After navigating from a malicious page to another, if the user navigates back to the initial page, the displayed URL will not reflect the reloaded page. This could be used to trick users into potentially treating the page as a different and trusted site.