Mozilla Foundation Security Advisory 2013-37
Bypass of tab-modal dialog origin disclosure
- April 2, 2013
- Firefox, SeaMonkey
- Fixed in
- Firefox 20
- SeaMonkey 2.17
Security researcher shutdown reported a method for removing the origin indication on tab-modal dialog boxes in combination with browser navigation. This could allow an attacker's dialog to overlay a page and show another site's content. This can be used for phishing by allowing users to enter data into a modal prompt dialog on an attacking, site while appearing to be from the displayed site.