You are currently viewing a snapshot of www.mozilla.org taken on April 21, 2008. Most of this content is highly out of date (some pages haven't been updated since the project began in 1998) and exists for historical purposes only. If there are any pages on this archive site that you think should be added back to www.mozilla.org, please file a bug.



You are here: Known Vulnerabilities in Mozilla Products (Firefox 2.0.0.2) > MFSA 2007-04

Mozilla Foundation Security Advisory 2007-04

Title: Spoofing using custom cursor and CSS3 hotspot
Impact: Low
Announced: February 23, 2007
Reporter: David Eckel
Products: Firefox, SeaMonkey

Fixed in: Firefox 2.0.0.2
  Firefox 1.5.0.10
  SeaMonkey 1.0.8

Description

David Eckel reported that browser UI elements--such as the host name and security indicators--could be spoofed by using a large, mostly transparent, custom cursor and adjusting the CSS3 hotspot property so that the visible part of the cursor floated outside the browser content area.

This feature was introduced in Firefox 1.5 and does not affect products based on Mozilla 1.7 or earlier such as Firefox 1.0

Workaround

Any such spoofing can be made less effective by customizing the appearance of your browser. Right-click on an empty toolbar area and select "Customize..." to move, add, or delete toolbar buttons and other elements.

References