Netscape Communicator Javascript TITLE Vulnerability

Netscape Communicator Javascript TITLE Vulnerability

A security vulnerability in Netscape Communicator's handling of Javascript embedded in a HTML page's title allows attackers to read a user's cache (including cached form input such as passwords and credit cards), as well as reading Communicator's configuration (including email address, mail servers, mail passwords, etc). This vulnerability can be exploited both via e-mail and web pages.

Javascript can be embedded inside a TITLE HTML tag. If the script then redirects the browser to views information about the document via the URL "wysiwyg://1/about:document" the Javascript in the embeded TITLE will be executed in the security context of "about:" URL's. This allows access to the information displayed in "about:cache", "about:config", "about:global" and other "about:" documents.

This vulnerability can be exploited via web pages and e-mail.