Security researcher Michal Zalewski has done it again, this time with a JavaScript onUnload event issue that affects IE7, Opera and Firefox and could aid phishers dupe victims. 

The issues is that IE7, Opera and Firefox do not handle the onUnload event properly. An attacker can use JavaScript onUnload events to run JavaScript in the context of a newly loaded window. This means that an attacker could attempt to transparently redirect the request from a compromised URL to a specific URL that was prepared by an attacker. This sort of vulnerability is ideal to be exploited in phishing attacks.

For Firefox and Opera users the address bar will show the redirected URL so an observant user would spot the redirection. However, Internet Explorer 7 will not update the address bar, thus the user will have no indication of the redirection.

At this time the redirection issue is unfixed in IE7, Opera 9.1 and Firefox 2.0.0.2, however for Firefox the MFSA-2007-08 seems to indicate that the issue is resolved, however it could be a related issue.

It is possible to test out this attack here for IE7 and Opera and here for Firefox. The Apple Safari browser seems to be unaffected by this issue.

Add this page to your favorite Social Bookmarking websites