Mozilla Foundation Security Advisory 2007-04

Spoofing using custom cursor and CSS3 hotspot

Announced

February 23, 2007

Reporter

David Eckel

Impact

Low

Products

Firefox, SeaMonkey

Fixed in

Firefox 1.5.0.10
Firefox 2.0.0.2
SeaMonkey 1.0.8

Description

David Eckel reported that browser UI elements--such as the host name and security indicators--could be spoofed by using a large, mostly transparent, custom cursor and adjusting the CSS3 hotspot property so that the visible part of the cursor floated outside the browser content area.

This feature was introduced in Firefox 1.5 and does not affect products based on Mozilla 1.7 or earlier such as Firefox 1.0

Workaround

Any such spoofing can be made less effective by customizing the appearance of your browser. Right-click on an empty toolbar area and select "Customize..." to move, add, or delete toolbar buttons and other elements.

References

CVE-2007-0779
https://bugzilla.mozilla.org/show_bug.cgi?id=361298

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Firefox Relay

MDN Plus

Fakespot

Mozilla Manifesto

Mozilla Foundation

Leadership

Get involved

Careers

Mozilla Blog

Impact

Firefox Developer Edition

MDN Web Docs

Mozilla Innovation Projects

Common Voice