User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:61.0) Gecko/20100101 Firefox/61.0 Build ID: 20180604143143 Steps to reproduce: When a Malicious web-page on an Attacker Web-Site opens a javascript: URL containing the Attacker Domain (Example: Attacker Domain = www.yyy.com ; javascript URL opened = javascript: [codes] + www.yyy.com + [codes] ) , the Attacker Domain is visible at the right into the AddressBar and covers the javascript: Protocol, so at the left into the AddressBar it is possible to show another Domain (ex: www.google.com ; www.bankofamerica.com …). This can lead to AddressBar Spoofing (The Video Demo in Attachments will show you how this vulnerability works). STR: -1) Go to the TestCase URL and Click on the « ClickMe » link (The specially-crafted javascript: URL is now opened in a new tab). This javascript: URL opened in a new tab can lead to AddressBar Spoofing. Actual results: The specially-crafted javascript: URL can lead to AddressBar Spoofing (As demonstrated in the video-demo in Attachments). Expected results: A possibility to fix this vulnerability: the specially-crafted javascript URL should be visible like others javascript URL (The javascript protocol should be always visible into the Address Bar)

The Video-demo.

I guess we shouldn't attempt to do domain highlighting (which is what drives the scrolling of the URL) for URLs starting with "javacript:" here: https://dxr.mozilla.org/mozilla-central/rev/a2d65d03e46a9a42b5bee5c2a7864d3f987a8ca7/mobile/android/app/src/photon/java/org/mozilla/gecko/toolbar/ToolbarDisplayLayout.java#331

Comment on attachment 8997537 [details] Bug 1479311 - Don't attempt finding and highlighting a tab's base domain within a javascript: URL. https://reviewboard.mozilla.org/r/261256/#review268954

Pushed by mozilla@buttercookie.de: https://hg.mozilla.org/integration/autoland/rev/bf82b74a7db7 Don't attempt finding and highlighting a tab's base domain within a javascript: URL. r=snorp

Comment on attachment 8997537 [details] Bug 1479311 - Don't attempt finding and highlighting a tab's base domain within a javascript: URL. Approval Request Comment [Feature/Bug causing the regression]: URL bar domain highlighting in combination with bug 1271998 [User impact if declined]: A tab's base domain contained within a "javascript:" URL might incorrectly be highlighted and scrolled to, obscuring the fact that the URL is in fact a "javascript:" URL. [Is this code covered by automated tests?]: No. [Has the fix been verified in Nightly?]: Yes. [Needs manual test from QE? If yes, steps to reproduce]: No. [List of other uplifts needed for the feature/fix]: none [Is the change risky?]: No. [Why is the change risky/not risky?]: Just adding a check for the "javascript:" protocol in the domain highlighting code. [String changes made/needed]: None.

Comment on attachment 8997537 [details] Bug 1479311 - Don't attempt finding and highlighting a tab's base domain within a javascript: URL. Adding a simple check for protocol; let's uplift for beta 18.

Verified as fixed on Beta 62.0b19, javascript:setTimeout is visible in the URL bar. Marking as verified since it won't fix 61.

Unfortunately does not qualify for our bug bounty program