Reloads and redirects can allow spoofing and cross site scripting – Opera Security Advisories

Severity

Critical

Description

Scripts on a page are supposed to be restricted so that they can only interact with other pages from the same domain and security context. Carefully timed reloads and redirects, when combined with appropriate caching, can cause scripts to execute in the wrong security context in Opera. This allows cross site scripting (XSS). In some cases, the address bar will also show the address of the target page.

With minimal user interaction, this particular XSS vector may also be used to modify Opera’s configuration, and this may in turn be used to execute arbitrary code on the computer.

Opera’s response

Opera Software has released Opera 10.63, where this issue has been fixed.