You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2010-83

Mozilla Foundation Security Advisory 2010-83

Title: Location bar SSL spoofing using network error page
Impact: High
Announced: December 9, 2010
Reporter: Michal Zalewski
Products: Firefox, SeaMonkey

Fixed in: Firefox 3.6.13
  Firefox 3.5.16
  SeaMonkey 2.0.11

Description

Google security researcher Michal Zalewski reported that when a window was opened to a site resulting in a network or certificate error page, the opening site could access the document inside the opened window and inject arbitrary content. An attacker could use this bug to spoof the location bar and trick a user into thinking they were on a different site than they actually were.

References