Mozilla Foundation Security Advisory 2010-83
Location bar SSL spoofing using network error page
- Announced
- December 9, 2010
- Reporter
- Michal Zalewski
- Impact
- High
- Products
- Firefox, SeaMonkey
- Fixed in
-
- Firefox 3.5.16
- Firefox 3.6.13
- SeaMonkey 2.0.11
Description
Google security researcher Michal Zalewski reported that when a window was opened to a site resulting in a network or certificate error page, the opening site could access the document inside the opened window and inject arbitrary content. An attacker could use this bug to spoof the location bar and trick a user into thinking they were on a different site than they actually were.