Mozilla Foundation Security Advisory 2005-07
Script-generated event can download without prompting
- January 21, 2005
- Omar Khan
- Fixed in
- Firefox 1
Script-generated click events were indistinguishable from true clicks. Combined with the Firefox Alt+click feature that downloads links to the default location without prompting this could be used by malicious sites to place executables or other malware onto a windows user's desktop without their knowing, or simply attempt to fill their disk.
Mozilla 1.7.5 was also fixed to distinguish synthetic from true clicks, but didn't suffer from unprompted downloads.