Avatar for Username

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

This thread was archived. Please ask a new question if you need help.

need to report a vulnerability in java in firefox

andyboy
andyboy
more options

Hello, I am managing a website for a client. Noticed today that there are links showing up at the end of one of our pages, but only with FireFox 4.01. Earlier versions and IE to not show the links.

We are thinking it is a java script vulnerability. Just started today. Directions to view it below.

go to americanaexchange.com Click on AEMonthly (top right of the page)

Next page, right on side, in the search box put in Potter, run the search (any search will work but we are using this one)

On the next page click on the Read More button for any of the results.

Next page look at the bottom of the page and you will see all the links for the drug advertisement.

We are checking everything on our end. We have an excellent team that runs the firewall and the security and they are looking.

Again, the links only show up in FireFox 4.01. No other browser, and so far only this page.

If you know of an issue, please let us know.

Hello, I am managing a website for a client. Noticed today that there are links showing up at the end of one of our pages, but only with FireFox 4.01. Earlier versions and IE to not show the links. We are thinking it is a java script vulnerability. Just started today. Directions to view it below. go to americanaexchange.com Click on AEMonthly (top right of the page) Next page, right on side, in the search box put in Potter, run the search (any search will work but we are using this one) On the next page click on the Read More button for any of the results. Next page look at the bottom of the page and you will see all the links for the drug advertisement. We are checking everything on our end. We have an excellent team that runs the firewall and the security and they are looking. Again, the links only show up in FireFox 4.01. No other browser, and so far only this page. If you know of an issue, please let us know.

All Replies (1)

jscher2000 - Support Volunteer
jscher2000 - Support Volunteer
  • Top 10 Contributor
more options

Those links are in your page in Firefox 3.6 and IE8, but you can't see them. In those browsers, you can confirm by using their view source feature and searching for:

<span style='display:none'>

This persists even if I disable JavaScript and reload the page.

Because Firefox 4 has a stricter interpretation of HTML, the intended hiding of that content does not work. (Specifically, the code places a <p> inside a <span> which technically is not permitted.)

To compare Firefox 4 without the new rules, you can turn off the HTML5 parser like this:

(1) In a new tab, type or paste about:config in the address bar and press Enter. Click the button promising to be careful.

(2) In the filter box, type or paste html5 and pause while the list is filtered

(3) Double-click html5.parser.enable to toggle it to false (line should turn bold).

Then reload the problem page and the links should be hidden again.

So this suggests your server application has been exploited, perhaps by an include in one of your templates.

Modified by jscher2000 - Support Volunteer