JavaScript might run in the wrong context if loaded from error page – Opera Security Advisories




If Opera is sent to an invalid URL, an error page will be displayed along with a link to the URL. The URL linked to might run scripts, and in some cases these scripts might be run in the wrong security context. This can be used to execute scripts in the context of an unrelated domain, which allows cross-site scripting.

To exploit this vulnerability, an attacker must get the user to interact with a specially crafted error page.

Opera’s response

Opera Software has released Opera 10.63, where this issue has been fixed.