Mozilla Foundation Security Advisory 2009-25
Title: URL spoofing with invalid unicode characters
Announced: June 11, 2009
Reporter: Pavel Cvrcek
Products: Firefox, SeaMonkey
Fixed in: Firefox 3.0.11
Mozilla add-on developer Pavel Cvrcek reported that certain invalid unicode characters, when used as part of an IDN, are displayed as whitespace in the location bar. This whitespace could be used to force part of the URL out of view in the location bar. An attacker could use this vulnerability to spoof the location bar and display a misleading URL for their malicious web page.