In the vein of MSIE7 entrapment vulnerability, I prepared a variant of this attack for Firefox.

With Firefox, it is possible to use onUnload Javascript handler to execute Javascript in the context of a newly loaded window. Although there is no access to document and window DOM hierarchy, it is still possible to have some fun.

The attacker can see where the user is going, and decide whether to transparently redirect the request to this URL, or point the browser elsewhere, to an URL very similar to the entered one, but with attacker-controlled contents: you can enter citibank.com or pick a bookmark for that site, but be taken to cilibank.com instead. This is unlikely to be spotted by an unsuspecting user.

To test for the vulnerability, try navigating to wikipedia.org. You will be invariably taken to a typosquatter site instead. You can also experiment with other URLs.

You need to have Javascript enabled.

Questions and comments: Michal Zalewski <lcamtuf@coredump.cx>.