You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2010-31
Mozilla Foundation Security Advisory 2010-31
Title: focus() behavior can be used to inject or steal keystrokes
Impact: Moderate
Announced: June 22, 2010
Reporter: Michal Zalewski
Products: Firefox, SeaMonkey
Fixed in: Firefox 3.6.4
Firefox 3.5.10
SeaMonkey 2.0.5
Description
Google security researcher Michal Zalewski
reported that focus()
could be used to change a user's
cursor focus while they are typing, potentially directing their
keyboard input to an unintended location. This behavior was also
present across origins when content from one domain was embedded
within another via an iframe. A malicious web page could use this
behavior to steal keystrokes from a victim while they were typing
sensitive information such as a password.