You are here: Known Vulnerabilities in Mozilla Products (Firefox > MFSA 2006-61

Mozilla Foundation Security Advisory 2006-61

Title: Frame spoofing using
Impact: Low
Announced: September 14, 2006
Reporter: shutdown
Products: Firefox, SeaMonkey

Fixed in: Firefox
  SeaMonkey 1.0.5


shutdown demonstrated a way to inject content into a sub-frame of another site using targetWindow.frames[n], making the attackers content look like it was part of the victim site. Similar in effect to MFSA 2005-51.


The victim site must first be opened in a new window (or tab) by the malicious site for this flaw to work. Do not enter a password or other sensitive information into a window "helpfully" opened by another site, always use the File menu option to open a trusted new window to which no other site has a reference.