Security researcher Jordi Chancel reported an issue similar to one fixed in mfsa2009-44 in which a web page can set document.location to a URL that can't be displayed properly and then inject content into the resulting blank page. An attacker could use this vulnerability to place a legitimate-looking but invalid URL in the location bar and inject HTML and JavaScript into the body of the page, resulting in a spoofing attack.
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2009:1674 https://rhn.redhat.com/errata/RHSA-2009-1674.html
firefox-3.5.6-1.fc11, epiphany-extensions-2.26.1-9.fc11, yelp-2.26.0-10.fc11, ruby-gnome2-0.19.3-5.fc11, perl-Gtk2-MozEmbed-0.08-6.fc11.8, mozvoikko-0.9.7-0.10.rc1.fc11, monodevelop-2.0-8.fc11, Miro-2.5.2-7.fc11, kazehakase-0.5.8-4.fc11, google-gadgets-0.11.1-4.fc11, hulahop-0.4.9-11.fc11, gnome-web-photo-0.7-9.fc11, galeon-2.0.7-19.fc11, gnome-python2-extras-2.25.3-10.fc11, evolution-rss-0.1.4-9.fc11, blam-1.8.5-17.fc11, pcmanx-gtk2-0.3.8-11.fc11, epiphany-2.26.3-7.fc11, chmsee-1.0.1-14.fc11, xulrunner-1.9.1.6-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
gnome-python2-extras-2.25.3-14.fc12, mozvoikko-1.0-7.fc12, gnome-web-photo-0.9-4.fc12, galeon-2.0.7-19.fc12, Miro-2.5.2-7.fc12, firefox-3.5.6-1.fc12, perl-Gtk2-MozEmbed-0.08-6.fc12.10, blam-1.8.5-21.fc12, xulrunner-1.9.1.6-1.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.