New issue
Advanced search Search tips

Issue 640946 link

Starred by 1 user

Issue metadata

Status: WontFix
Owner:
Closed: Aug 2016
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug-Security



Sign in to add a comment

Security: Opening popup without user's interaction

Reported by ondrejko...@gmail.com, Aug 25 2016

Issue description

This bug allows by clicking/opening url open a popup window.

VULNERABILITY DETAILS
It can be used for phishing, advertisment and many more. It can also open popup from e-mail after clicking on a link. Script simulates a click event on a button which opens the popup and moves history back (so the page disappears). It also tries to close the new window if history.back didn't work.
Buttons are hidden using CSS.

VERSION
Chrome Version: 52.0.2743.116 (Oficiálne zostavenie) m (32-bitová verzia)
Operating System: the newest Windows 10 with Anniversary update

REPRODUCTION CASE
Navigate to file's URL to open popup.


 
index.html
628 bytes View Download
I have tested this thing on other browsers:
Internet Explorer: Popup blocked
Edge: Popup blocked
Firefox: Popup blocked
Components: UI>Browser>PopupBlocker
Labels: Security_Severity-Low Security_Impact-Stable OS-All Pri-1
Owner: jochen@chromium.org
Status: Assigned (was: Unconfirmed)
Jochen, can you please take a look or suggest an owner.

Comment 3 by jochen@chromium.org, Aug 26 2016

Labels: Needs-Feedback
I can't reproduce this on ToT nor on stable
Project Member

Comment 4 by sheriffbot@chromium.org, Aug 26 2016

Labels: -Pri-1 Pri-2

Comment 5 by jochen@chromium.org, Aug 30 2016

Status: WontFix (was: Assigned)
marking as wontfix due to no additional feedback
Project Member

Comment 6 by sheriffbot@chromium.org, Dec 7 2016

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment