Mozilla Foundation Security Advisory 2016-52
Addressbar spoofing though the SELECT element
- Announced
- June 7, 2016
- Reporter
- Jordi Chancel
- Impact
- Moderate
- Products
- Firefox, Firefox ESR
- Fixed in
- 
        - Firefox 47
- Firefox ESR 45.2
 
Description
Security researcher Jordi Chancel reported a method to spoof the
contents of the addressbar. This uses a persistent menu within a
<select> element, which acts as a container for HTML content and can be
placed in an arbitrary location.  When placed over the addressbar, this can mask the true
site URL, allowing for spoofing by a malicious site.