Download Firefox

Firefox is no longer supported on Windows 8.1 and below.

Please download Firefox ESR (Extended Support Release) to use Firefox.

Firefox is no longer supported on macOS 10.14 and below.

Please download Firefox ESR (Extended Support Release) to use Firefox.

Firefox Privacy Notice

Mozilla Foundation Security Advisory 2009-11

URL spoofing with invisible control characters

Announced
March 4, 2009
Reporter
Masahiro Yamada
Impact
Low
Products
Firefox
Fixed in
  • Firefox 3.0.7

Description

Mozilla contributor Masahiro Yamada reported that certain invisible control characters were being decoded when displayed in the location bar, resulting in fewer visible characters than were present in the actual location. An attacker could use this vulnerability to spoof the location bar and display a misleading URL for their malicious web page.

The initial version of this advisory incorrectly listed Thunderbird and SeaMonkey as affected products. Firefox is the only product affected by this vulnerability.

References