Mozilla Foundation Security Advisory 2016-21

Displayed page address can be overridden

Announced
March 8, 2016
Reporter
Abdulrahman Alqabandi
Impact
Moderate
Products
Firefox, Firefox ESR
Fixed in
  • Firefox 45
  • Firefox ESR 38.7

Description

Security researcher Abdulrahman Alqabandi reported an issue where an attacker can load an arbitrary web page but the addressbar's displayed URL will be blank or filled with page defined content. This can be used to obfuscate which page is currently loaded and allows for an attacker to spoof an existing page without the malicious page's address being displayed correctly.

References