Phishing/url cloaking using open() + NoScript "Attemp to fix JavaScript links" unified testbed.

Mozilla Firefox 2.0.0.3 + NoScript 1.1.4.8.070430 (latest version avaiable at the time of writing).

In none of the following PoCs the tested browsers were able to display in the status bar the right link destination, in some cases the browser were able to display the correct url (FF) but only after the user has visited the landing page.

Load http://www.youtube.com/watch?v=BKW5SMvMKtY and jump to minute 2:43 or if you already have the NoScrip plugin installed open the Prefecences window, then click on the Advanced tab, Untrusted tab. The incriminated option is "Attemp to fix JavaScript links".

Defined function PoC with open()

WOPEN
Will succed with JS on using open(). Works with NoScript with JS off (untrusted domain) and "Attemp to fix JavaScript links" option enabled.
Mozilla Firefox*                (works)
Opera 9.20                      (works)
Microsoft Internet Explorer 7   (works)
Microsoft Internet Explorer 6   (works)
Microsoft Internet Explorer 5   (works)
Microsoft Internet Explorer 5.5 (works)

* with any combination of JS on/off + NoScript installed or not

Defined function PoC

JOPEN - PoC for NoScript bug (JS off)
This will fail with JS on with the expected popup. Works with NoScript with JS off (untrusted domain) and "Attemp to fix JavaScript links" option enabled.
Mozilla Firefox + NoScript (works)

Undefined function PoC

M() - PoC for NoScript bug (JS off)
This will fail with JS on with an error of the type: m is not defined. Works with NoScript with JS off (untrusted domain) and "Attemp to fix JavaScript links" option enabled.
Mozilla Firefox + NoScript (works)

Misc tests (please ignore)

Go.. Go.. 
Francesco 'ascii' Ongaro
ascii |at| ush |dot| it