You are here: Known Vulnerabilities in Mozilla Products (Firefox 220.127.116.11) > MFSA 2006-61
Mozilla Foundation Security Advisory 2006-61
Title: Frame spoofing using document.open()
Announced: September 14, 2006
Products: Firefox, SeaMonkey
Fixed in: Firefox 18.104.22.168
shutdown demonstrated a way to inject content into a sub-frame of another
making the attackers content look like it was part of the victim site.
Similar in effect to MFSA 2005-51.
The victim site must first be opened in a new window (or tab) by the malicious site for this flaw to work. Do not enter a password or other sensitive information into a window "helpfully" opened by another site, always use the File menu option to open a trusted new window to which no other site has a reference.