Mozilla Foundation Security Advisory 2009-44
Title: Location bar and SSL indicator spoofing via window.open() on invalid URL
Announced: August 3, 2009
Reporter: Juan Pablo Lopez Yacubian
Fixed in: Firefox 3.5.2
Security researcher Juan Pablo Lopez Yacubian
reported that an attacker could call
window.open() on an
invalid URL which looks similar to a legitimate URL and then
document.write() to place content within the new
document, appearing to have come from the spoofed location.
Additionally, if the spoofed document was created by a document with a
valid SSL certificate, the SSL indicators would be carried over into
the spoofed document. An attacker could use these issues to display
misleading location and SSL information for a malicious web page.