Older Noscript-Version bypassed ?

[newhere]

hi,

some days ago i got redirected to one of these fake-police-sites who claim to block your computer and browser. I use Noscript for FF, but i still got this "Leave Page... Stay on Page" dialog box when i closed the tab, and so far as i know, is javascript recommended to do that, but Noscript was enabled and configured correctly!

Can Html or something similar show this box without getting blocked by Noscript? Or has my NS-Version a bug, to bypass this? Cause i use an older version (2.6.8.5), anyone knows a bug like this in this version? (checked changelog, but couldnt find something, im not an expert).

Thanks!

[barbaz]

It's a known bug that has long since been fixed, please update NoScript to the latest version (2.6.9.10 at the time of writing)

(v 2.6.8.5 can't block inline JS in Gecko > 27)

[newhere]

hi,

thanks! Is this a dangerous Bug? Can Websites use dangerous scripts through this bug?

Couldnt find this in the changelog, am i too dumb to find this, or is it really not listed there?

[barbaz]

Is this a dangerous Bug? Can Websites use dangerous scripts through this bug?

Yes and yes!!

Couldnt find this in the changelog, am i too dumb to find this, or is it really not listed there?

I think you just don't know the keywords to look for, so here's the (potentially) relevant parts:

v 2.6.8.19rc2
=========================================================================
x Fixed CAPS initialization broken in Gecko 27 and below

<...>

v 2.6.8.18rc2
=========================================================================
<...>
- Disabled CAPS-based script blocking for Gecko 28 and above

<...>

v 2.6.8.11rc6
=========================================================================
<...>
x Adopted the Components.utils.blockScriptForGlobal() API where possible

<...>

v 2.6.8.8rc2
=========================================================================
+ Enforce docShell-based script blocking for Gecko > 28

[newhere]

k, thanks!

Do you think it was a coincidence that this site bypassed noscript? Or was it on purpose? Ok, those websites just work with Javascript but on Firefox their Script doesnt work as they want anyways, with FF it just pop ups this "Leave Page..." Message, also without Noscript, so far as i know.

[barbaz]

Do you think it was a coincidence that this site bypassed noscript? Or was it on purpose?

Neither, it's a bug in NoScript caused by Mozilla completely removing the API NoScript was using to block inline scripts. You're just *really* lucky sites running inline javascripts when you don't think so hasn't been a problem for you yet.