10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.02 Low
EPSS
Percentile
88.8%
Mozilla allows websites to disable various browser status elements. This allows websites to create spoofed dialogs using XUL.
Certain Mozilla web browser status elements, such as the address bar, status bar, and navigation controls, can be disabled remotely by web sites using JavaScript. Consequently, attackers can design malicious web sites that disable these native elements and, using XUL, recreate pages that look like native Mozilla dialogs and windows. (XUL is Mozilla’s XML-based user interface. It allows for the development of cross-platform applications.)
An attacker could convince a user that they were viewing a native Mozilla dialog, when in fact they are visiting a page created by the attacker. The attacker could use additional social engineering techniques to trick the victim into disclosing sensitive information such as credit card numbers, account numbers, and passwords. The attacker could also spoof pop-up windows that do not display the address bar.
Disable the ability to hide status items
By performing the following steps, it is possible to prevent JavaScript from disabling status elements. This will make XUL-created pages appear distinct from native Mozilla dialogs.
1. Enter “about:config” in Mozilla’s address bar. This will display Mozilla’s configuration values.
2. Set the following values to **true**
:
dom.disable_window_open_feature.titlebar dom.disable_window_open_feature.close dom.disable_window_open_feature.toolbar dom.disable_window_open_feature.location dom.disable_window_open_feature.directories dom.disable_window_open_feature.personalbar dom.disable_window_open_feature.menubar dom.disable_window_open_feature.scrollbars dom.disable_window_open_feature.resizable dom.disable_window_open_feature.minimizable dom.disable_window_open_feature.status
user.js
file.262350
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: August 04, 2004 Updated: December 16, 2004
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23262350 Feedback>).
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
This vulnerability was reported by David Ahmad. The workaround was provided by Asa Dotzler.
This document was written by Will Dormann.
CVE IDs: | CVE-2004-0764 |
---|---|
Severity Metric: | 1.04 Date Public: |