MozillaZine

Exploit using target="_blank"

Discussion of general topics about Seamonkey
Anonymosity
 
Posts: 8571
Joined: May 7th, 2007, 12:07 pm

Post Posted June 10th, 2019, 11:12 am

There is a target="_blank" exploit demonstrated at this page: https://mathiasbynens.github.io/rel-noopener/
Does the same exploit work with target="_new"? Is there anything fundamentally different about how that code works, compared to target="_blank"?

therube

User avatar
 
Posts: 20002
Joined: March 10th, 2004, 9:59 pm
Location: Maryland USA

Post Posted June 10th, 2019, 4:35 pm

(Not having any clue... dealing with an undated web page [don't you love that, but appears to be 10-25-2018 - at the latest]...)

Exploit is (relatively ~2017) old.
Presumably fixed in FF 52, so likewise presumably that fix flowed through to SeaMonkey.
Mozilla not be total ignoramuses would have taken associated items, like _new into account when fixing the issue.

(And I could be totally wrong :-).)


SeaMonkey 2.49, 2.53, PM 28.5, FF 52 all look to give the same results.
Quantum gives different results giving "The previous tab is safe and intact. window.opener was null; mischief not managed!" for all tabs (vs. only some for the others).
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript

Anonymosity
 
Posts: 8571
Joined: May 7th, 2007, 12:07 pm

Post Posted June 10th, 2019, 11:05 pm

That exploit worked on all my browsers without some installed script to defeat it. Maybe I should just modify that script to include target="_new".

therube

User avatar
 
Posts: 20002
Joined: March 10th, 2004, 9:59 pm
Location: Maryland USA

Post Posted June 11th, 2019, 4:53 am

That's the thing. Not really sure just what I'm supposed to be seeing.
And very possible that over time, allowed behavior changed (& so the difference between FF 52 & Quantum).
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript

Anonymosity
 
Posts: 8571
Joined: May 7th, 2007, 12:07 pm

Post Posted June 11th, 2019, 2:01 pm

I have 5 different browsers with 5 different rendering engines. With no script protection against that exploit, all were susceptible to the exploit. The oldest is Safari, last updated in 2018, but the others are much more recent.

Anonymosity
 
Posts: 8571
Joined: May 7th, 2007, 12:07 pm

Post Posted June 13th, 2019, 12:54 pm

I just found out that browsers were setup to recognize rel="noopener" something like 2 years ago. That does not help if a web page is not using that code.

Return to SeaMonkey General


Who is online

Users browsing this forum: No registered users and 3 guests