Mozilla Foundation Security Advisory 2005-54
Title: Javascript prompt origin spoofing
Severity: Low
Reporter: Secunia.com
Products: Firefox, Mozilla Suite
Fixed in: Firefox 1.0.5
Mozilla Suite 1.7.9
Description
Alerts and prompts created by scripts in web pages are presented with the
generic title [JavaScript Application] which sometimes makes it difficult to know
which site created them. A malicious page could attempt to cause a prompt
to appear in front of a trusted site in an attempt to extract information
such as passwords from the user.
In the fixed version these prompts will contain the hostname from the
page which created it.
Workaround
Do not enter sensitive information into a "JavaScript Application" prompt,
they are almost never used for this purpose. If you must, first drag the
prompt on the desktop and make sure there is not a tiny window hiding
behind it.
References
https://secunia.com/advisories/15489/
https://bugzilla.mozilla.org/show_bug.cgi?id=298934