Original issue date: July 8, 1997<BR>
Last revised: November 9, 1999<BR>
Updated broken links.<BR>

<P>A complete revision history is at the end of this file.

<P>The CERT Coordination Center has received reports of a vulnerability
in JavaScript that enables remote attackers to monitor a user's Web activities.
The vulnerability affects several Web browsers that support JavaScript.

<P>The vulnerability can be exploited even if the browser is behind a firewall
and even when users browse "secure" HTTPS-based documents.

<P>The CERT/CC team recommends installing a patch from your vendor or upgrading
to a version that is not vulnerable to this problem (see Section III. A).
Until you can do so, we recommend disabling JavaScript (see Section III.B).

<P>We will update this advisory as we receive additional information. Please
check our advisory files regularly for updates that relate to your site.

<P><HR>
<H2>I. Description</H2>
Several web browsers support the ability to download JavaScript programs
with an HTML page and execute them within the browser. These programs are
typically used to interact with the browser user and transmit information
between the browser and the Web server that provided the page.

<P>JavaScript programs are executed within the security context of the
page with which they were downloaded, and they have restricted access to
other resources within the browser. Security flaws exist in certain Web
browsers that permit JavaScript programs to monitor a user's browser activities
beyond the security context of the page with which the program was downloaded.
It may not be obvious to the browser user that such a program is running,
and it may be difficult or impossible for the browser user to determine
if the program is transmitting information back to its web server.

<P>The vulnerability can be exploited even if the Web browser is behind
a firewall (if JavaScript is permitted through the firewall) and even when
users browse "secure" HTTPS-based documents.
<H2>II. Impact</H2>
This vulnerability permits remote attackers to monitor a user's browser
activity, including:
<UL>
<LI>observing the URLs of visited documents,</LI>

<LI>observing data filled into HTML forms (including passwords), and</LI>

<LI>observing the values of cookies.</LI>
</UL>

<H2>III. Solution</H2>
The best solution is to obtain a patch from your vendor or upgrade to a
version that is not vulnerable to this problem. If a patch or upgrade is
not available, or you cannot install it right away, we recommend disabling
JavaScript until the fix is installed.
<H3>A. Obtain and install a patch for this problem.</H3>
See Appendix A for the current information from vendors. We will update
the appendix when we receive further information.
<H3>B. Disable JavaScript.</H3>
Until you are able to install the appropriate patch, we recommend disabling
JavaScript in your browser. Note that JavaScript and Java are two different
languages, and this particular problem is only with JavaScript. Enabling
or disabling Java rather than JavaScript will have no effect on this problem.

<P>The way to disable JavaScript is specific to each browser. The option,
if available at all, is typically found as one of the Options or Preferences
settings.

<P><HR>
<BR>
<H2>Appendix A - Vendor Information</H2>
Below is information we have received from vendors. We will update this
appendix as we receive additional information.
<H3>Hewlett-Packard</H3>
For more information please refer to the Hewlett-Packard Security Advisory
"Security Advisory in Netscape shipped with HP-UX", Document ID: HPSBUX9707-065.

<P>Use your browser to get to the HP Electronic Support Center page:

<P><A HREF="http://us-support.external.hp.com">http://us-support.external.hp.com</A>

<P>(for US, Canada, Asia-Pacific, &amp; Latin-America)

<P><A HREF="http://europe-support.external.hp.com">http://europe-support.external.hp.com</A>

<P>(for Europe)

<P>Click on the Technical Knowledge Database, register as a user (remember
to save the User ID assigned to you, and your password), and it will connect
to a HP Search Technical Knowledge DB page. Near the bottom is a hyperlink
to our Security Bulletin archive. Once in the archive there is another
link to our current security patch matrix. Updated daily, this matrix is
categorized by platform/OS release, and by bulletin topic.

<H3>IBM Corporation</H3>
Netscape for IBM's OS/2 Operating System is vulnerable. The vulnerable
version and the patched version are both 2.02. 

<P>To tell if you need to download and reinstall, open the Netscape folder
on the OS/2 desktop. Click on the icon marked "Installation Utility." When
the "Installation and Maintenance" program starts, make sure "02.02.00
Netscape for OS/2" is highlighted and hit control-S. On the product status
panel that opens up, highlight "Netscape Navigator" and then press the
"Service Level" button next to it. Ignore the install date -- that's the
date Navigator was installed. If "Level" is not "000004" or later, you
should download Netscape Navigator for OS/2 from the above mentioned URL
and install it.
<H3>Microsoft</H3>
Microsoft Internet Explorer 3.* and 4.* are vulnerable. Microsoft has announced
their patch plans for this problem at:

<P><A HREF="http://www.microsoft.com/ie/security/default.asp">
http://www.microsoft.com/ie/security/default.asp</A>

<H3>Netscape</H3>
Netscape Navigator/Communicator versions 2.*, 3.* and 4.* are vulnerable.
<BR>See:

<P>
<A HREF="http://www.netscape.com/security/index.html">
http://www.netscape.com/security/index.html</A>

<P>for details.

<P><HR>

<P>The CERT Coordination Center thanks Vinod Anupam of Bell Labs, Lucent
Technologies, for identifying and analyzing this problem, and vendors for
their support in responding to this problem.

<P>
<!--#include virtual="/include/footer_nocopyright.html" -->
<P>Copyright 1997 Carnegie Mellon University.</P>

<HR>

Revision History
<PRE>
Sept. 30, 1997 Updated copyright statement
Sept. 17, 1997 Appendix A - updated Netscape's URLs
               Updated our copyright statement
July 28, 1997  Appendix A - added information for Hewlett-Packard and IBM.
               Section III.A - slight wording change.
July 14, 1997  Section III.B - fixed a typographical error.
July 11, 1997  Updated Appendix A with vendor information
               for vulnerable browers.
November 9, 1999   Updated broken links.
</PRE>