You are here: Known Vulnerabilities in Mozilla Products (Firefox 1.5.0.7) > MFSA 2006-61

Mozilla Foundation Security Advisory 2006-61

Title: Frame spoofing using document.open()
Impact: Low
Announced: September 14, 2006
Reporter: shutdown
Products: Firefox, SeaMonkey

Fixed in: Firefox 1.5.0.7
  SeaMonkey 1.0.5

Description

shutdown demonstrated a way to inject content into a sub-frame of another site using targetWindow.frames[n].document.open(), making the attackers content look like it was part of the victim site. Similar in effect to MFSA 2005-51.

Workaround

The victim site must first be opened in a new window (or tab) by the malicious site for this flaw to work. Do not enter a password or other sensitive information into a window "helpfully" opened by another site, always use the File menu option to open a trusted new window to which no other site has a reference.

References