A design error in the Firefox browser can allow phishers to conceal the true origins of a web page from the user. This could be used to place extremely deceptively genuine looking web pages from organisations such as banks, eBay, PayPal and other providers on the web (spoofing). Browser security specialist Michal Zalewski has provided a demonstration web page to enable interested users to understand the problem. The demo works with Firefox 1.5 and 2.0.

According to Zalewski, the problem lies in the way Firefox deals with the URL about:blank, which opens a blank page. The browser does not show either a URL in the address bar or information in the window's title bar. However, JavaScript can also open such a web page, and various JavaScript functions can be used to insert additional content into the web page. This is not normally possible for windows originating from different domains, but because about:blank is not assigned to any domain and document.location is not defined, it nevertheless works anyway. And, according to Zalewski, older spoofing bugs can also again be exploited in this way in Firefox.

The only remedy at present is to disable JavaScript or to use the NoScript plugin for Firefox, which only allows scripting on known, trusted websites.

See also:

• Firefox about:blank spoofing demos, description and demo of the vulnerability from Michal Zalewski