Mozilla XUL web applications may hide the titlebar

2007-10-1900:00:00

www.kb.cert.org

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.008 Low

EPSS

Percentile

81.4%

JSON

Overview

Mozilla’s XUL contains a vulnerability that may allow a web application to cover an active window’s titlebar.

Description

XUL is Mozilla’s XML-based user interface language. XUL can be used to create Mozilla applications, extensions, and web applications.

From Mozilla Foundation Security Advisory 2007-33:
Mozilla developer Eli Friedman discovered that web pages written in the XUL markup language (rather than the usual HTML) can hide their window’s titlebar. It may have been possible to abuse this ablity to create more convincing spoof and phishing pages.

Impact

An attacker may be able to create phishing or spoofed websites.

Solution

Upgrade

Mozilla has released Firefox 2.0.0.8 and SeaMonkey 1.1.5 to address this issue.

Vendor Information

349217

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Mozilla __ Affected

Updated: October 19, 2007

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

See <http://www.mozilla.org/security/announce/2007/mfsa2007-33.html> for more details.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23349217 Feedback>).