Mozilla Foundation Security Advisory 2012-43

Incorrect URL displayed in addressbar through drag and drop

Announced
July 17, 2012
Reporter
Mario Gomes, Code Audit Labs
Impact
Moderate
Products
Firefox, Firefox ESR
Fixed in
  • Firefox 14
  • Firefox ESR 10.0.6

Description

Security researcher Mario Gomes andresearch firm Code Audit Labs reported a mechanism to short-circuit page loads through drag and drop to the addressbar by canceling the page load. This causes the address of the previously site entered to be displayed in the addressbar instead of the currently loaded page. This could lead to potential phishing attacks on users.

References