Juha-Matti Laurio reported a vulnerability in the Epiphany browser in the tabbed browsing feature. A remote user may be able to spoof web page functions.
It is reported that when a target user has multiple tabs open, an inactive tab can issue a dialog box that will be displayed even though the target user is currently viewing a different tab. As a result, a remote user may be able to spoof functions on the web site in the active tab.
The vulnerability is due to a previously reported underlying flaw in the Mozilla Gecko engine, which is used by Epiphany. Secunia Research reported the flaw in Mozilla.
A demonstration exploit is available at http://secunia.com/multiple_browsers_dialog_box_spoofi ng_test/
The vendor was notified on October 30, 2004.
Impact: A remote user may be able to spoof web page functions.
Solution: No solution was available at the time of this entry.