New security leak in Firefox (03/12/07 5:05 pm)
A design error within Firefox could be exploited by phishers for faking the origin of a website (spoofing) so a bank website could be simulated without the user noticing that the website is not residing on the bank's server. The specialist Michael Zalewski offers a demo which proves the successful exploitation of this leak. Versions 1.5.x.x as well 2.x.x.x are affected.
The problem is caused by Firefox's behavior regarding the URL about:blank which opens a blank website. In this case the browser shows neither theURL in the URL line nor any information in the browser's title row. More content can be added to this website by using java-script functions.
We recommend turning off java script until the leak is fixed. Alternatively, the plugin NoScript allows you to turn on java script for trusted websites only.