Load "noscript" plugin and you'll save yourself some possible grief...


http://www.heise-security.co.uk/news/86551

Spoofing vulnerability in Firefox

A design error in the Firefox browser can allow phishers to conceal the
true origins of a web page from the user. This could be used to place
extremely deceptively genuine looking web pages from organisations such as
banks, eBay, PayPal and other providers on the web (spoofing). Browser
security specialist Michal Zalewski has provided a demonstration web page
to enable interested users to understand the problem. The demo works with
Firefox 1.5 and 2.0.

According to Zalewski, the problem lies in the way Firefox deals with the
URL about:blank, which opens a blank page. The browser does not show either
a URL in the address bar or information in the window's title bar. However,
JavaScript can also open such a web page, and various JavaScript functions
can be used to insert additional content into the web page. This is not
normally possible for windows originating from different domains, but
because about:blank is not assigned to any domain and document.location is
not defined, it nevertheless works anyway. And, according to Zalewski,
older spoofing bugs can also again be exploited in this way in Firefox.

The only remedy at present is to disable JavaScript or to use the NoScript
plugin http://noscript.net/ for Firefox, which only allows scripting on
known, trusted websites.

See also:

Firefox about:blank spoofing demos http://lcamtuf.coredump.cx/ffblank/ ,
description and demo of the vulnerability from Michal Zalewski