Lucene search

K
mozillaMozilla FoundationMFSA2010-15
HistoryMar 23, 2010 - 12:00 a.m.

Asynchronous Auth Prompt attaches to wrong window — Mozilla

2010-03-2300:00:00
Mozilla Foundation
www.mozilla.org
11

0.007 Low

EPSS

Percentile

79.7%

Mozilla developer Justin Dolske reported that the new asynchronous Authorization Prompt (HTTP username and password) was not always attached to the correct window. Although we have not demonstrated this, it may be possible for a malicious page to convince a user to open a new tab or popup to a trusted service and then have the HTTP authorization prompt from the malicious page appear to be the login prompt for the trusted page. This potential attack is greatly mitigated by the fact that very few web sites use HTTP authorization, preferring instead to use web forms and cookies.

CPENameOperatorVersion
firefoxlt3.6.2

0.007 Low

EPSS

Percentile

79.7%