According to Danish security firm Secunia, Mozilla 1.7.x and Firefox 1.x are vulnerable to a frame injection flaw that first surfaced in 1998. Hackers could exploit the bug to insert their own content into the view of a legitimate site, to, for instance, pose as the log-in frame, then collect usernames and passwords to online bank accounts.
"The flaw means that if you are viewing a trusted site in one window (PayPal or your bank) and open a site belonging to a spoofer in another window, the spoofer can insert code in the window showing the trusted site," wrote a moderator on Mozilla's online forum Monday.
Secunia rated the bug as "moderately critical," and posted an example exploit so users could test their browser for the flaw. The same vulnerability was spotted in Firefox, as well as virtually every other browser in use, almost a year ago, and fixed in a pre-release version of Firefox and in Mozilla 1.7. The new vulnerability is a slight variation of that fixed flaw.
"To protect yourself, close all other windows/tabs before accessing a site where you routinely put in a secure password (your bank or PayPal account), or your bank or credit card details (e.g. Amazon), or other sensitive data," recommended Mozilla's online moderator.