You are currently viewing a snapshot of www.mozilla.org taken on April 21, 2008. Most of this content is highly out of date (some pages haven't been updated since the project began in 1998) and exists for historical purposes only. If there are any pages on this archive site that you think should be added back to www.mozilla.org, please file a bug.



You are here: Known Vulnerabilities in Mozilla Products (Firefox 1.0) > MFSA 2005-07

Mozilla Foundation Security Advisory 2005-07

Title: Script-generated event can download without prompting
Severity: High (Firefox)
Reporter: Omar Khan
Products: Firefox

Fixed in: Firefox 1.0

Description

Script-generated click events were indistinguishable from true clicks. Combined with the Firefox Alt+click feature that downloads links to the default location without prompting this could be used by malicious sites to place executables or other malware onto a windows user's desktop without their knowing, or simply attempt to fill their disk.

Mozilla 1.7.5 was also fixed to distinguish synthetic from true clicks, but didn't suffer from unprompted downloads.

Workaround

Disable javascript or upgrade to fixed version.

References

https://bugzilla.mozilla.org/show_bug.cgi?id=265176