[Full-disclosure] Firefox: onUnload tailgating (MSIE7 entrapment bug variant)
lcamtuf at dione.ids.pl
Fri Feb 23 12:49:41 GMT 2007
On Fri, 23 Feb 2007, Michal Zalewski wrote:
> Firefox isn't outright vulnerable to this problem, but judging from its
> behavior, it is likely to be susceptible to a variant of this bug
And indeed, susceptible it is. On the surface, the problem is even more
loaded one. Fortunately, at the time this is possible, 'document' and
'window' DOM hierarchies are not accessible - but then, 'location' is.
With a bit of clever trickery, we can mount the following attack:
As shown there, the problem is less serious than MSIE7 full-scale
Matrix-esque entrapment, but nevertheless - the bug is a cool one. And I
Full-Disclosure is hosted and sponsored by Secunia.