Mozilla Firefox before 3.0.13, and 3.5.x before 3.5.2, allows remote attackers to spoof the address bar, and possibly conduct phishing attacks, via a crafted web page that calls window.open with an invalid character in the URL, makes document.write calls to the resulting object, and then calls the stop method during the loading of the error page.
blog.mozilla.com/security/2009/07/28/url-bar-spoofing-vulnerability/
es.geocities.com/jplopezy/firefoxspoofing.html
osvdb.org/56717
secunia.com/advisories/36001
secunia.com/advisories/36126
secunia.com/advisories/36141
secunia.com/advisories/36435
secunia.com/advisories/36669
secunia.com/advisories/36670
sunsolve.sun.com/search/document.do?assetkey=1-66-266148-1
www.debian.org/security/2009/dsa-1873
www.mozilla.org/security/announce/2009/mfsa2009-44.html
www.redhat.com/support/errata/RHSA-2009-1430.html
www.redhat.com/support/errata/RHSA-2009-1431.html
www.redhat.com/support/errata/RHSA-2009-1432.html
www.securityfocus.com/archive/1/505242/30/0/threaded
www.securityfocus.com/archive/1/505265
www.securityfocus.com/bid/35803
www.securitytracker.com/id?1022603
www.vupen.com/english/advisories/2009/2006
www.vupen.com/english/advisories/2009/2142
bugzilla.mozilla.org/show_bug.cgi?id=451898
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9686
usn.ubuntu.com/811-1/
www.redhat.com/archives/fedora-package-announce/2009-August/msg00198.html
www.redhat.com/archives/fedora-package-announce/2009-August/msg00261.html