There is a new vulnerability in Firefox that enables an attacker to open a new tab in a victim’s browser with a spoofed URL. The vulnerability is found in all current versions of Firefox and Mozilla does not have a patch for the problem yet.
The vulnerability would be useful for attackers in a phishing attack, given the ability to spoof the URL in the new tab or window. From the Mozilla blog entry on the bug:
If a user visits a page hosting this malicious code, a new window or tab can be opened with a faked URL. There is no way of determining if the URL is authentic. This could result in the user disclosing confidential information to the malicious site, known as a phishing attack.
Mozilla said it is working on a fix for the problem, but did not disclose a time line for releasing a patch.