A race condition exists when setting the window.location property on a web page. This flaw could allow a page to set an arbitrary Referer header, which may lead to a Cross-site Request Forgery (CSRF) attack against websites that rely only on the Referer header.
Lifting embargo
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2007-1084.html http://rhn.redhat.com/errata/RHSA-2007-1082.html http://rhn.redhat.com/errata/RHSA-2007-1083.html