Netscape 7.x, Konqueror 3.x, Opera 7.x, Safari 1.x, Microsoft Internet
Explorer 5.01/5.5/6, Mozilla 0.x, Mozilla 1.0, Mozilla 1.1, Mozilla 1.2,
Mozilla 1.3, Mozilla 1.4, Mozilla 1.5, Mozilla 1.6, Mozilla 1.7.x,
Mozilla *Firefox* 0.x,
Mozilla *Firefox* 1.x
The problem is that a website can inject content into another site's
window if the target name of the window is known. This can e.g. be
exploited by a malicious website to spoof the content of a pop-up window
opened on a trusted website.
Secunia has constructed a test, which can be used to check if your
browser is affected by this issue:
http://secunia.com/multiple_browsers_window_injection_vulnerability_test/
Notes:
- The vulnerability has been confirmed in Mozilla 1.7.3 and Mozilla
*Firefox* 1.0. Other versions may also be affected.
- The vulnerability has been confirmed on a fully patched system with
Internet Explorer 6.0 and Microsoft Windows XP SP1/SP2.
- The vulnerability has been confirmed in Safari version 1.2.4. Other
versions may also be affected.
- The vulnerability has been confirmed in Opera version 7.54. Other
versions may also be affected.
- The vulnerability has been confirmed in Konqueror version 3.2.2-6.
Other versions may also be affected.
- The vulnerability has been confirmed in Netscape 7.2. Other versions
may also be affected.
Solution: Do not browse untrusted sites while browsing trusted sites.
Netscape:
http://secunia.com/advisories/13402/
Opera:
http://secunia.com/advisories/13253/
Mozilla/Firefox:
http://secunia.com/advisories/13129/
IE:
http://secunia.com/advisories/13251/
Konqueror:
http://secunia.com/advisories/13254/
Safari:
http://secunia.com/advisories/13252/