Properties of window.focus can be accessed across domains in Firefox 2. This includes properties added to Function.prototype. For example, the Prototype JS library is used by twitter.com to install an argumentNames method to Function.prototype. An attacker on evil.com can call victimWindow.focus.argumentNames() to obtain a reference to a twitter.com Array. The attacker can then call methods added by the Prototype JS library to Array.prototype to completely control the twitter.com window. This proof of concept alerts twitter.com's document.domain and document.cookie: http://crypto.stanford.edu/~collinj/test/ff2focus/

Marking security sensitive.

This is a dupe of bug 369334. This problem was one of the main driving forces behind cross origin wrappers. The particular testcase linked to from the URL field here runs into the fact that cross-origin functions (such as victim.focus) come from the *calling* scope now, so prototype.js stuff on the victim site is invisible.