Carefully timed reloads, redirects, and navigation can spoof the address field – Opera Security Advisories

The address field should always show the address of the page that is being displayed. Certain types of navigation, combined with reloads and redirects to a slowly-responding target site can cause the address field to show the target site’s address, while the attacking site is still being displaye...

Pages can prevent navigation to a target page, spoofing the address field

When a user types a new URL for the browser to load, the currently active page may detect when the new page is about to load and prevent the navigation, while still leaving the new URL displayed in the address bar. This can then be used to spoof the URL of the target page. The malicious page woul...

Hidden keyboard navigation can allow cross site scripting or code execution – Opera Security Advisories

When a user is interacting with a window, that window should be visible to the user, to ensure that the user realizes it is there. If a page is displayed in a small enough window, the user may not realize it is being displayed, and if the right keyboard sequence is carefully followed, they can en...

Pages can prevent navigation to a target page, spoofing the address field – Opera Security Advisories

When a user types a new URL for the browser to load, the currently active page may detect when the new page is about to load and prevent the navigation, while still leaving the new URL displayed in the address bar. This can then be used to spoof the URL of the target page. The malicious page woul...

Cross-domain JSON resources may be exposed as JavaScript variable data

JSON strings are sometimes exported by sites as a resource that cannot be read cross-domain, and may contain confidential data. The format of a JSON string ensures that it cannot be read as the contents of a variable, if it is included as a normal script. In some cases, Opera does not correctly...

Carefully timed reloads, redirects, and navigation can spoof the address field

The address field should always show the address of the page that is being displayed. Certain types of navigation, combined with reloads and redirects to a slowly-responding target site can cause the address field to show the target site's address, while the attacking site is still being displaye...

A combination of clicks and key presses can lead to cross site scripting or code execution

When a user double clicks on a page, they may expect the two clicks to target the same object. If a page uses the first click to open a pop-up window in a predictable location, the second click may focus parts of the new window, such as its address field. If the page can then convince the user to...

A combination of clicks and key presses can lead to cross site scripting or code execution – Opera Security Advisories

When a user double clicks on a page, they may expect the two clicks to target the same object. If a page uses the first click to open a pop-up window in a predictable location, the second click may focus parts of the new window, such as its address field. If the page can then convince the user to...

Cross-domain JSON resources may be exposed as JavaScript variable data – Opera Security Advisories

JSON strings are sometimes exported by sites as a resource that cannot be read cross-domain, and may contain confidential data. The format of a JSON string ensures that it cannot be read as the contents of a variable, if it is included as a normal script. In some cases, Opera does not correctly...

Web page dialogs can be used to to display the wrong address in the address field

The address field should always show the correct address for the page that is loaded. If a page can cause Opera to display certain dialogs relating to a target site, the dialog may in some cases cause Opera to display the target site's address instead of the correct address. This can allow an...

History.state can leak the state data from cross domain pages – Opera Security Advisories

When a site uses history.pushState and history.replaceState to add or replace history entries, it can also provide optional data, which may typically be used to restore the given state when the user navigates through their browser history. When pages with cross-domain frames use this functionalit...

Overlapping content can trick users into executing downloads

Dialogs such as the download dialog are usually displayed on top of page content, to ensure that the user knows that the dialog is requesting attention. In some cases, this policy was not implemented correctly in Opera, allowing certain page content to overlay the dialog. In these cases, clicking...

Carefully timed reloads and redirects can spoof the address field – Opera Security Advisories

The address field should always show the address of the page that is being displayed. In certain cases, if a target site responds slowly, reloading an attacking page and redirecting to the target page can cause the address field to show the target site’s address, while the attacking site is still...

Web page content may overlap the address field – Opera Security Advisories

The browser’s user interface contains several pieces of security information. To preserve this information correctly, web page content should not be able to display over the user interface. Certain styling can cause Opera to allow the content to be displayed outside the page, over the address...

Web page content may overlap the address field

The browser's user interface contains several pieces of security information. To preserve this information correctly, web page content should not be able to display over the user interface. Certain styling can cause Opera to allow the content to be displayed outside the page, over the address...

History.state can leak the state data from cross domain pages

When a site uses history.pushState and history.replaceState to add or replace history entries, it can also provide optional data, which may typically be used to restore the given state when the user navigates through their browser history. When pages with cross-domain frames use this functionalit...

Carefully timed reloads and redirects can spoof the address field

The address field should always show the address of the page that is being displayed. In certain cases, if a target site responds slowly, reloading an attacking page and redirecting to the target page can cause the address field to show the target site's address, while the attacking site is still...

Overlapping content can trick users into executing downloads – Opera Security Advisories

Dialogs such as the download dialog are usually displayed on top of page content, to ensure that the user knows that the dialog is requesting attention. In some cases, this policy was not implemented correctly in Opera, allowing certain page content to overlay the dialog. In these cases, clicking...

Small windows can be used to trick users into executing downloads – Opera Security Advisories

When the download dialog is displayed, it should always be visible to the user, to ensure that the user realizes it is there. If the dialog is displayed in a small enough window, the user may not realize it is being displayed, and if the right keyboard sequence is carefully followed, they can end...

Small windows can be used to trick users into executing downloads

When the download dialog is displayed, it should always be visible to the user, to ensure that the user realizes it is there. If the dialog is displayed in a small enough window, the user may not realize it is being displayed, and if the right keyboard sequence is carefully followed, they can end...

Printing issue can allow data leaks to other system users, or allow them to corrupt data

When pages are printed by Opera, a temporary file is created, which contains the document to print. This document is not created with the correct permissions, allowing other users of the system to read its contents. When printed with certain popular printing frameworks, an additional temporary fi...

Printing issue can allow data leaks to other system users, or allow them to corrupt data – Opera Security Advisories

When pages are printed by Opera, a temporary file is created, which contains the document to print. This document is not created with the correct permissions, allowing other users of the system to read its contents. When printed with certain popular printing frameworks, an additional temporary fi...

Web page dialogs can be used to to display the wrong address in the address field – Opera Security Advisories

The address field should always show the correct address for the page that is loaded. If a page can cause Opera to display certain dialogs relating to a target site, the dialog may in some cases cause Opera to display the target site’s address instead of the correct address. This can allow an...

Changing from a single-user to a multi-user installation on Windows (rev2) – Opera Security Advisories

Changing from a single-user to a multi-user installation on Windows rev2 – Opera Security Advisories OPCOM Team | January 5, 2012 If you received the error message “There was a problem initializing Opera Mail. Engine Init Failed”, it may mean that you have a stand-alone USB installation of Opera...

Issue with error pages can cause a system crash

When attempting to resolve a URL which cannot be interpreted as a legal URL, Opera will create an error page to display to the user when they load it. If enough invalid URLs can be created, Opera can use up all available disk space with these error pages, causing the browser or operating system t...

Issue with error pages can cause a system crash – Opera Security Advisories

When attempting to resolve a URL which cannot be interpreted as a legal URL, Opera will create an error page to display to the user when they load it. If enough invalid URLs can be created, Opera can use up all available disk space with these error pages, causing the browser or operating system t...

Data URIs may be used to initiate cross site scripting against unrelated sites – Opera Security Advisories

Data URIs are supposed to inherit the security context from the page that created them. In some cases, Opera does not enforce this correctly, and will allow unrelated data URIs to interact both with each other, and their source pages. This can be used to enable cross site scripting against the...

Data URIs may be used to initiate cross site scripting against unrelated sites

Data URIs are supposed to inherit the security context from the page that created them. In some cases, Opera does not enforce this correctly, and will allow unrelated data URIs to interact both with each other, and their source pages. This can be used to enable cross site scripting against the...

Frameset issue allows execution of arbitrary code – Opera Security Advisories

Framesets allow web pages to hold other pages inside them. Certain frameset constructs are not handled correctly when the page is unloaded, causing a memory corruption. To inject code, additional techniques will have to be employed...

Frameset issue allows execution of arbitrary code

Framesets allow web pages to hold other pages inside them. Certain frameset constructs are not handled correctly when the page is unloaded, causing a memory corruption. To inject code, additional techniques will have to be employed...

HTTP header leakage when using Opera Turbo – Opera Security Advisories

HTTP header leakage when using Opera Turbo – Opera Security Advisories OPCOM Team | February 11, 2011 Severity High Description When using Opera Turbo, pages are requested by the Opera Turbo servers, sending the relevant HTTP headers for that request. In some cases, the headers are incorrectly...

The wrong executable may be used to display a downloaded file in its folder – Opera Security Advisories

The wrong executable may be used to display a downloaded file in its folder – Opera Security Advisories OPCOM Team | January 28, 2011 Severity Low Affected versions This issue affects Opera for Microsoft Windows. Description Opera’s downloads manager allows users to select a file, and open the...

The wrong executable may be used to display a downloaded file in its folder

Opera's downloads manager allows users to select a file, and open the folder containing that file. This file will be opened using the operating system's file system viewer. In some cases, Opera will use the wrong executable when trying to show the folder view, and that executable may execute code...

Email passwords are not immediately deleted when deleting private data – Opera Security Advisories

Email passwords are not immediately deleted when deleting private data – Opera Security Advisories OPCOM Team | January 26, 2011 Severity Moderate Description When using “Delete Private Data” and selecting the option to “Clear all email account passwords”, the passwords were not deleted...

Email passwords are not immediately deleted when deleting private data

When using "Delete Private Data" and selecting the option to "Clear all email account passwords", the passwords were not deleted immediately, and would continue to be used until the browser was restarted. This could unexpectedly allow continued access to those email accounts...

Web pages can gain limited access to files on the user's computer

Certain types of HTTP responses and redirections can cause Opera to mistakenly give elevated privileges to remote web pages. These pages can then use their elevated privileges to load files from the user's computer as web page resources. This may allow scraping of potentially sensitive informatio...

Clickjacking attacks may be carried out against internal opera: URLs

Internal opera: URLs which may be used to modify the Opera configuration have some intentional restrictions that are designed to mitigate possible clickjacking attacks. Certain manipulations can trick Opera into bypassing those restrictions, which would then allow clickjacking attacks to be carri...

Web pages can gain limited access to files on the user’s computer – Opera Security Advisories

Web pages can gain limited access to files on the user’s computer – Opera Security Advisories OPCOM Team | January 25, 2011 Severity High Description Certain types of HTTP responses and redirections can cause Opera to mistakenly give elevated privileges to remote web pages. These pages can then u...

Clickjacking attacks may be carried out against internal opera: URLs – Opera Security Advisories

Clickjacking attacks may be carried out against internal opera: URLs – Opera Security Advisories OPCOM Team | January 25, 2011 Severity High Description Internal opera: URLs which may be used to modify the Opera configuration have some intentional restrictions that are designed to mitigate possib...

Large form inputs can allow execution of arbitrary code

When certain large form inputs appear on a web page, they can cause Opera to crash. In some cases, the crash can lead to memory corruption, which could be used to execute code. To inject code, additional techniques will have to be employed...

Large form inputs can allow execution of arbitrary code – Opera Security Advisories

Large form inputs can allow execution of arbitrary code – Opera Security Advisories OPCOM Team | January 25, 2011 Severity Critical Description When certain large form inputs appear on a web page, they can cause Opera to crash. In some cases, the crash can lead to memory corruption, which could b...

Certain DOM manipulations can allow execution of arbitrary code

Various unexpected DOM manipulations can cause Opera to crash. In some cases, these crashes can occur in a way that allows execution of arbitrary code. To inject code, additional techniques may have to be employed...

Certain DOM manipulations can allow execution of arbitrary code – Opera Security Advisories

Certain DOM manipulations can allow execution of arbitrary code – Opera Security Advisories OPCOM Team | January 4, 2011 Severity High Description Various unexpected DOM manipulations can cause Opera to crash. In some cases, these crashes can occur in a way that allows execution of arbitrary code...

Opera may be used as a vector for multiple font issues in the underlying operating system – Opera Security Advisories

Opera may be used as a vector for multiple font issues in the underlying operating system – Opera Security Advisories OPCOM Team | December 17, 2010 Affected versions This vulnerability may be targeted through Opera for Windows. Severity Critical Description A flaw in the font handling on the...

Web page content can display misleading security information

Dialogs such as the security information dialog and download dialog are displayed over the top of the webpage content. In some cases, webpage content will be incorrectly displayed on top of the dialogs, or over parts of the dialogs. This content can then display misleading security information,...

WAP form content can be leaked to other sites – Opera Security Advisories

When accepting user input in form fields on a WAP page, WML requires that the input contents are remembered, and used to populate every further input sharing the same name. This should continue as long as the user continues to click links known as a WAP session, even populating similarly named...

WAP form content can be leaked to other sites

When accepting user input in form fields on a WAP page, WML requires that the input contents are remembered, and used to populate every further input sharing the same name. This should continue as long as the user continues to click links known as a WAP session, even populating similarly named...

Web page content can display misleading security information – Opera Security Advisories

Dialogs such as the security information dialog and download dialog are displayed over the top of the webpage content. In some cases, webpage content will be incorrectly displayed on top of the dialogs, or over parts of the dialogs. This content can then display misleading security information,...

JavaScript might run in the wrong context if loaded from error page – Opera Security Advisories

JavaScript might run in the wrong context if loaded from error page – Opera Security Advisories OPCOM Team | October 11, 2010 Severity Moderate Description If Opera is sent to an invalid URL, an error page will be displayed along with a link to the URL. The URL linked to might run scripts, and in...

JavaScript might run in the wrong context if loaded from error page

If Opera is sent to an invalid URL, an error page will be displayed along with a link to the URL. The URL linked to might run scripts, and in some cases these scripts might be run in the wrong security context. This can be used to execute scripts in the context of an unrelated domain, which allow...