Mozilla Foundation Security Advisory 2005-07

Script-generated event can download without prompting

Announced
January 21, 2005
Reporter
Omar Khan
Impact
High
Products
Firefox
Fixed in
  • Firefox 1

Description

Script-generated click events were indistinguishable from true clicks. Combined with the Firefox Alt+click feature that downloads links to the default location without prompting this could be used by malicious sites to place executables or other malware onto a windows user's desktop without their knowing, or simply attempt to fill their disk.

Mozilla 1.7.5 was also fixed to distinguish synthetic from true clicks, but didn't suffer from unprompted downloads.

Workaround

Disable javascript or upgrade to fixed version.

References

https://bugzilla.mozilla.org/show_bug.cgi?id=265176