Mozilla Foundation Security Advisory 2009-25

URL spoofing with invalid unicode characters

Announced
June 11, 2009
Reporter
Pavel Cvrcek
Impact
Low
Products
Firefox
Fixed in
  • Firefox 3.0.11

Description

Mozilla add-on developer Pavel Cvrcek reported that certain invalid unicode characters, when used as part of an IDN, are displayed as whitespace in the location bar. This whitespace could be used to force part of the URL out of view in the location bar. An attacker could use this vulnerability to spoof the location bar and display a misleading URL for their malicious web page.

References