You are here: Known Vulnerabilities in Mozilla Products (Firefox 1.0) > MFSA 2005-07

Mozilla Foundation Security Advisory 2005-07

Title: Script-generated event can download without prompting
Severity: High (Firefox)
Reporter: Omar Khan
Products: Firefox

Fixed in: Firefox 1.0

Description

Script-generated click events were indistinguishable from true clicks. Combined with the Firefox Alt+click feature that downloads links to the default location without prompting this could be used by malicious sites to place executables or other malware onto a windows user's desktop without their knowing, or simply attempt to fill their disk.

Mozilla 1.7.5 was also fixed to distinguish synthetic from true clicks, but didn't suffer from unprompted downloads.

Workaround

Disable javascript or upgrade to fixed version.

References

https://bugzilla.mozilla.org/show_bug.cgi?id=265176