Hi malware fighters,

Many have heard about JS exploits like clickjacking, but there are other JavaScript design flaws, as the following example shows… First of all the user clicks on a button/link. Then a new tab/window opens which loads the content of hxxp://www.google.com. Five seconds later, the newly created tab is preloaded with the content of hxxp://www.gnucitizen.org. Disturbing here is the break in trust relationship between the user and google.com… and there are various other ways to play out this simple magic… as gnucitizen found.

<html>
  <body>
    <script>
      function clickme() {
        var w = window.open('hxxp://www.google.com');
        setTimeout(function () {
          w.location = 'hxxp://www.gnucitizen.org';
        }, 5000);
      }
    </script>
    <input type="button" value="click me" onclick="clickme(this)"/>
  </body>
</html>

Just another reason to have NoScript and RequestPolicy inside the Fx browser,

polonus