Mozilla Foundation Security Advisory 2010-15
Title: Asynchronous Auth Prompt attaches to wrong window
Announced: March 23, 2010
Reporter: Justin Dolske
Products: Firefox 3.6
Fixed in: Firefox 3.6.2
Mozilla developer Justin Dolske reported that the new asynchronous Authorization Prompt (HTTP username and password) was not always attached to the correct window. Although we have not demonstrated this, it may be possible for a malicious page to convince a user to open a new tab or popup to a trusted service and then have the HTTP authorization prompt from the malicious page appear to be the login prompt for the trusted page. This potential attack is greatly mitigated by the fact that very few web sites use HTTP authorization, preferring instead to use web forms and cookies.
This issue does not affect older versions of Firefox or products based on the Mozilla browser engine, such as Thunderbird and SeaMonkey, using an older version of the engine.