Mozilla developer Myk Melez reported that with specifically timed page navigation, the doorhanger notification for Web App installation could persist from one site to another without being dismissed by the navigation. This could be used by a malicious site to trick a user into installing an application from one site while making it appear to come from another.



External Reference:

http://www.mozilla.org/security/announce/2013/mfsa2013-105.html


Acknowledgements:

Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Myk Melez as the original reporter.

Statement:

This issue does not affect the version of firefox and thunderbird as shipped with Red Hat Enterprise Linux 5 and 6