Mozilla Foundation Security Advisory 2016-52

Addressbar spoofing though the SELECT element

Announced
June 7, 2016
Reporter
Jordi Chancel
Impact
Moderate
Products
Firefox, Firefox ESR
Fixed in
  • Firefox 47
  • Firefox ESR 45.2

Description

Security researcher Jordi Chancel reported a method to spoof the contents of the addressbar. This uses a persistent menu within a <select> element, which acts as a container for HTML content and can be placed in an arbitrary location. When placed over the addressbar, this can mask the true site URL, allowing for spoofing by a malicious site.

References