Multiple vendor Web browsers inactive tab information disclosure

web-browser-inactive-info-disclosure (17789) The risk level is classified as MediumMedium Risk

Description:

Multiple vendor Web browsers, including Mozilla, Firefox, Netscape, Netcaptor, Slim Browser, Avant Browser and Maxthon could allow a remote attacker to obtain sensitive information. A remote attacker could create a specially-crafted Web page, that would cause an inactive tab, which is a tab that is not currently selected in the window, to gain focus on form fields on a Web site in another tab. This vulnerability could be used to gain sensitive information from unsuspecting users, once the victim opens the malicious link in a new tab. An attacker could exploit this vulnerability by hosting the malicious Web page on a Web site or sending it to a victim as an HTML email.

Platforms Affected:

  • Avant Browser, Avant Browser 10.0 build 029
  • Avant Browser, Avant Browser 9.02 build 101
  • Canonical, Ubuntu 4.10
  • Mozilla, Firefox 0.10.1
  • Mozilla, Mozilla 1.7.3
  • Mysoft Technology, Maxthon 1.1.039
  • Netscape, Navigator 7.2
  • Stilesoft, NetCaptor 7.5.2

Remedy:

For Ubuntu Linux:
Refer to USN-149-3 for patch, upgrade, or suggested workaround information. See References.

Consequences:

Obtain Information

References:

  • Full-Disclosure Mailing List, Wed Oct 20 2004 - 08:01:31 CDT, Secunia Research: Multiple Browsers Tabbed Browsing Vulnerabilities at http://archives.neohapsis.com/archives/fulldisclosure/2004-10/0750.html.
  • BID-11474: Mozilla Browser Cross-Domain Tab Window Form Field Focus Vulnerability
  • BID-11476: Maxthon Web Browser Cross-Domain Tab Window Form Field Focus Vulnerability
  • BID-11478: Avant Browser Cross-Domain Tab Window Form Field Focus Vulnerability
  • BID-11520: NetCaptor Cross-Domain Tab Window Form Field Focus Vulnerability
  • BID-11530: Slim Browser Cross-Domain Tab Window Form Field Focus Vulnerability
  • CVE-2004-1381: Firefox before 1.0 and Mozilla before 1.7.5 allow inactive (background) tabs to focus on input being entered in the active tab, as originally reported using form fields, which allows remote attackers to steal sensitive data that is intended for other sites, which could facilitate phishing attacks.
  • SA12712: Mozilla / Mozilla Firefox / Camino Tabbed Browsing Vulnerabilities
  • USN-149-3: Ubuntu 4.10 update for Firefox vulnerabilities

Reported:

Oct 20, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page