Closed Bug 361292 Opened 18 years ago Closed 18 years ago

Unwanted "system" message box generated by visiting a site

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 59314

People

(Reporter: Bob_Andersson, Unassigned)

Details

Attachments

(2 files)

Screenshot of the offending page plus message box
(deleted), image/gif
Details
Source code from the offending URL
(deleted), text/plain
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1) Gecko/20061010 Firefox/2.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1) Gecko/20061010 Firefox/2.0

  Firefox allowed a site to display a "system" message box on three consecutive visits to the same page today. The behavior has now stopped. Forcing closure of Firefox using Windows Task Manager also closed the message box indicating it as a child of Firefox. Additionally I ran two different Spyware scans (in addition to my daily scan) to make sure my PC is clean. Block Popup Windows is enabled as is Javascript.

  Should Firefox allow generation of a "system" message box in this way as, short of using Windows Task Manager" the only way to regain access to Firefox is by clicking the message box buttons which will activate unknown script.

Reproducible: Sometimes

Steps to Reproduce:
See details

Actual Results:  
See details

Expected Results:  
See details
Which site?
What did the unwanted dialog say?
(In reply to comment #1)
> Which site?
> Not fair to mention the site as the editor has immediately taken action by contacting all advertisers and the problem is no longer apparent. I would, of course, have included the URL if the problem were still reproducible.


(In reply to comment #2)
> What did the unwanted dialog say?
> It was a message box with a title saying it was a message from www.errorsafe.com and warning of Registry errors. That site has a Red rating from McAfee's SiteAdvisor. Because it was a System message box Windows refusues to allow the input focus to revert to the parent (in this case Firefox) until the message box is dismissed by clicking one of the buttons. I saved myself the hassle of being potentially redirected to a rogue site by using the Windows Task Manager to end the Firefox process which procedure also forces closure of child windows.


It could have just been an alert() dialog from the site -- those are modal to the Firefox window, and go away if you force-quit Firefox.  What makes you think it was a "system" dialog?

I'm guessing this is invalid or a dup of bug 59314.
(In reply to comment #5)
> It could have just been an alert() dialog from the site -- those are modal to
> the Firefox window, and go away if you force-quit Firefox.  What makes you
> think it was a "system" dialog?
> 
> I'm guessing this is invalid or a dup of bug 59314.
> 
Thanks for the quick responses. To take your points in order..

I've just refreshed my memory (Petzold "Programming Windows") and you are right. I should have used the word "modal" instead of "system" in the original report. My description of the errant behavior was, however, accurate in that short of clicking a button in the message box the only way out is to force closure of the Firefox session by using the Windows Task Manager.

I worry about your saying "It could have just been an alert() dialog from the site". I believe it is not acceptable for Firefox to allow creation of such modal objects which prevent the user from navigating away from the offending page without activating an unknown script by clicking a button. A web page which asks Firefox to create such an object effectively forces me to lose all other tabs in the session which, if Firefox 2 works securely, also means that even if a session is restored any temporary cookies have been lost.

As for bug 59314, I did review this before I submitted my own bug report. I didn't click either of the message box buttons but I have a strong feeling that the message box was designed to navigate me to an unsafe site rather than to achieve a DoS.
The problem occurred again. This time I clicked the Cancel button and ZoneAlarm then informed me that it had blocked Spyware from www .imagesrvr.com which had been invoked as a result of an attempt to navigate to www .errorsafe.com (even though I had clicked Cancel).

The source code associated with the page that generated the offending message box at
http://www.sciencedaily.com/releases/2006/11/061113175931.htm
will be added as a separate attachment but I believe that the problem is being invoked by advertising invoked as the page is rendered.
Attached file Source code from the offending URL (deleted) — 
Included for completeness but I believe the problem lies with advertising invoked as the page was rendered
> I believe it is not acceptable for Firefox to allow creation of such
> modal objects which prevent the user from navigating away from the offending
> page without activating an unknown script by clicking a button.

The "unknown script" is already running before it calls confirm(), so you're not really "activating" anything by clicking "OK" or "Cancel".
(In reply to comment #9)
> > I believe it is not acceptable for Firefox to allow creation of such
> > modal objects which prevent the user from navigating away from the offending
> > page without activating an unknown script by clicking a button.
> 
> The "unknown script" is already running before it calls confirm(), so you're
> not really "activating" anything by clicking "OK" or "Cancel".
> 
Technically correct but the security issue didn't occur UNTIL I clicked the Cancel button. Such indirection may be a mechanism used by criminals to avoid detection by such as McAfee's SiteAdvisor. It is no coincidence that the message box isn't always generated every time the host site is visited.

More to the point, the BUG is that Firefox allowed a web page to create an object that forced me to shut down the browser.

Question: Why can't Firefox create modeless message boxes? If code is added to make sure that such objects always appear and remain in front of the parent window (Firefox) then the effect is the same but then Firefox still retains the ability to detect a user closing the parent Tab or requesting Firefox to shut down via the usual mechanisms.
Blocks: 59314

*** This bug has been marked as a duplicate of 59314 ***
No longer blocks: 59314
Status: UNCONFIRMED → RESOLVED
Closed: 18 years ago
Resolution: --- → DUPLICATE
(In reply to comment #11)
> 
> *** This bug has been marked as a duplicate of 59314 ***
> 
Sorry not to have spotted 59314 - I did try. I really appreciate the work the Firefox community does and it was far from my intention to cause unnecessary work.

Thank you.
Attachment #246175 - Attachment filename: hijack.gif

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: