Mozilla Foundation Security Advisory 2013-37

Bypass of tab-modal dialog origin disclosure

Announced
April 2, 2013
Reporter
shutdown
Impact
Moderate
Products
Firefox, SeaMonkey
Fixed in
  • Firefox 20
  • SeaMonkey 2.17

Description

Security researcher shutdown reported a method for removing the origin indication on tab-modal dialog boxes in combination with browser navigation. This could allow an attacker's dialog to overlay a page and show another site's content. This can be used for phishing by allowing users to enter data into a modal prompt dialog on an attacking, site while appearing to be from the displayed site.

References