Frame spoofing using document.open()
- September 14, 2006
- Firefox, SeaMonkey
- Fixed in
- Firefox 220.127.116.11
- SeaMonkey 1.0.5
shutdown demonstrated a way to inject content into a sub-frame of another
making the attackers content look like it was part of the victim site.
Similar in effect to MFSA 2005-51.
The victim site must first be opened in a new window (or tab) by the malicious site for this flaw to work. Do not enter a password or other sensitive information into a window "helpfully" opened by another site, always use the File menu option to open a trusted new window to which no other site has a reference.