CNET también está disponible en español.

Ir a español

Don't show this again

Christmas Gift Guide
Tech Industry

JavaScript bug in Navigator 4.04

The problem lets developers set a JavaScript button that will close a window or eliminate its navigation tools without asking the user for confirmation.

Netscape Communications (NSCP) executives today confirmed the existence of a JavaScript bug in Navigator 4.04 that could strand unsuspecting Web surfers without a toolbar or even a window.

Netscape's senior security product manager, David Andrews, conceded that a malicious Webmaster could use the bug to create a denial of service attack, but he characterized the threat as a "really minor...nuisance attack."

The problem, reported by Java developer Patrick Morris-Suzuki on his Web page, lets Web developers set a JavaScript button that will close a window or eliminate its navigation tools without asking the user for confirmation. The problem surfaces on computers running Microsoft Windows 95.

Netscape's JavaScript reference for Navigator 4.0 and higher states that in order to "unconditionally close a window, you need the UniversalBrowserWrite privilege." Netscape technology executives said the requirement for a signature applied only to the current HTML browser window as opposed to those opened with JavaScript, and that Morris-Suzuki had succeeded in manipulating current HTML windows as though they had been opened with JavaScript.

To close a window "unconditionally" means the user is not asked for confirmation that the window should close. On Microsoft's Internet Explorer browser, for example, the same function prompts a box to appear warning the user: "The Web site you are viewing is trying to close the window. Do you want to close this window?" Netscape 3.0 does not recognize the JavaScript instruction to close the window at all.

JavaScript and other scripting languages often are used to communicate information to the browser. Signed JavaScripts contain digital certificates or signatures that verify the identity of the server and authorize it to perform certain operations.

Navigator 4.04 also enables an unsigned JavaScript to alter the features of the browser window known as "chrome," which include the navigation, status, and toolbars.

"We take all of these security concerns seriously, but we look at them along a continuum," said Andrews. "This kind of attack wouldn't allow the stealing of information either from your browser, like where you've surfed on the Web, or information stored on the hard drive."

Andrews said Netscape engineers were looking into the problem, and that the company "possibly" would fix it.