Slashdot Mirror

← Back to Stories (view on slashdot.org)

Major Browsers Have JS Pop-Up Flaw

Posted by Zonk on from the security-flaws-build-character dept.

An anonymous reader writes "Secunia is warning that several popular browsers contain a vulnerability that could allow a phishing attack. 'The problem is that JavaScript dialog boxes do not display or include their origin, which allows a new window to open -- for example, a prompt dialog box -- which appears to be from a trusted site,' Secunia said. The browsers include the latest versions of IE, IE for Mac, Safari, iCab, Mozilla, Mozilla Firefox and Camino. Opera 7 and 8 are also affected but not 8.01."

4 of 397 comments (clear)

  1. Re:Oh I know by CdBee · · Score: 5, Informative

    Easier to use an extension like NoScript - a javascript permission whitelist - to selectively allow pages to run scripts, then control passes to where it should be - the user

    --
    I have been a user for about 10 years. This ends Feb 2014. The site's been ruined. I'm off. Dice, FU
  2. Stop Firefox or Mozilla from hiding location by greed · · Score: 5, Informative
    Firefox and Mozilla, and probably any other Gecko-based browsers, have a way of disabling the disabling of various UI elements when JavaScript opens a window. I found this in another Slashdot thread last year, but forgot which one.

    Open about:config . You'll probably have to type that, Mozilla won't follow it from an http: URL.

    Key in dom.disable_window_open_feature as a filter.

    Change the value for location to true. In Firefox, just double-click the false and it will toggle. Mozilla you need to edit it and actually type in all four letters of true. (But I'm happier with the Mozilla suite at the office, so I live with it.)

    Change any other values to true that you feel like; I'd be inclined to do status, resizable, close and menubar at a minimum.

    Now the location will be visible in any pop-up window.

    So the very first thing the Moz group should do is default some of this stuff to true instead of pander to controlling webmasters who want to take over the user's computer. I mean false.

  3. Re:Ahh I love Javascript dialogs, I really do by Ewan · · Score: 4, Informative

    Check out noscript, firefox extension for whitelisting javascript

    Ewan

  4. Re:old news by hkmwbz · · Score: 5, Informative
    "It's advertising and FUD from those Opera guys. They are really getting boring."
    Better put on your tinfoil hat!
    "Someone at Opera reports it (under a false name) as a security issue affecting every browser BUT Opera"
    Wow. I didn't know that "Jakob Balle, Secunia Research" worked for Opera? I thought he worked for Secunia, seeing as he, well, works there and everything?
    "Slashdot runs one more article about the genious of this stupid paid-for, closed source browser."
    You mean Opera? Opera Software, the company that employs and pays several members of the W3C? Which pays real money to people to work on open standards?

    Ah, the evil Opera! I get it.

    "That's not the first time it happens, nor the last one. /., stop supporting Opera FUD. Thanks."
    Asa? Is that you? Why are you posting as an AC?!
    --
    Clever signature text goes here.