A javascript: url loaded by a malicious page can obfuscate its location by blanking the URL displayed in the address bar, allowing for an attacker to spoof an existing page without the malicious page's address being displayed correctly.
A javascript: url loaded by a malicious page can obfuscate its location by blanking the URL displayed in the address bar, allowing for an attacker to spoof an existing page without the malicious page's address being displayed correctly.
https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/#CVE-2017-5420 https://bugzilla.mozilla.org/show_bug.cgi?id=1284395