Mozilla Foundation Security Advisory 2009-50

2009-09-10T00:00:00
ID SECURITYVULNS:DOC:22455
Type securityvulns
Reporter Securityvulns
Modified 2009-09-10T00:00:00

Description

Mozilla Foundation Security Advisory 2009-50

Title: Location bar spoofing via tall line-height Unicode characters Impact: Low Announced: September 9, 2009 Reporter: Juan Pablo Lopez Yacubian Products: Firefox

Fixed in: Firefox 3.5.3 Firefox 3.0.14 Description

Security researcher Juan Pablo Lopez Yacubian reported that the default Windows font used to render the locationbar and other text fields was improperly displaying certain Unicode characters with tall line-height. In such cases the tall line-height would cause the rest of the text in the input field to be scrolled vertically out of view. An attacker could use this vulnerability to prevent a user from seeing the URL of a malicious site.

Corrie Sloot also independently reported this issue to Mozilla. References

* https://bugzilla.mozilla.org/show_bug.cgi?id=453827
* CVE-2009-3078