Mozilla Foundation Security Advisory 2012-69
Title: Incorrect site SSL certificate data
Announced: August 28, 2012
Reporter: Mark Poticha
Products: Firefox, SeaMonkey
Fixed in: Firefox 15
Firefox ESR 10.0.7
Security researcher Mark Poticha reported an issue where incorrect SSL certificate information can be displayed on the addressbar, showing the SSL data for a previous site while another has been loaded. This is caused by two onLocationChange events being fired out of the expected order, leading to the displayed certificate data to not be updated. This can be used for phishing attacks by allowing the user to input form or other data on a newer, attacking, site while the credentials of an older site appear on the addressbar.