Location bar spoofing via tall line-height Unicode characters

2009-09-09T00:00:00
ID MFSA2009-50
Type mozilla
Reporter Mozilla Foundation
Modified 2009-09-09T00:00:00

Description

Security researcher Juan Pablo Lopez Yacubian reported that the default Windows font used to render the locationbar and other text fields was improperly displaying certain Unicode characters with tall line-height. In such cases the tall line-height would cause the rest of the text in the input field to be scrolled vertically out of view. An attacker could use this vulnerability to prevent a user from seeing the URL of a malicious site. Corrie Sloot also independently reported this issue to Mozilla.