• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Opera Web Browser Unicode Whitespace Cross-Site Scripting Weakness

Severity: MODERATE

Description:

Opera Web Browser is prone to a weakness that can facilitate cross-site scripting attacks.

This issue stems from the processing of Unicode characters flagged with the 'white_space' property. Since these characters will be treated as white space, they may be freely included in JavaScript code. Applications that try to sanitize user-supplied input may fail to properly interpret these characters, allowing cross-site scripting attacks to bypass filters.

Attackers can leverage this weakness to aid in cross-site scripting attacks against unsuspecting users of the application.

Characters treated as white space include the following:

U+2002 to U+200A
U+205F
U+3000
U+180E Mongolian Vowel Separator
U+1680 Ogham Space Mark
U+00A0
U+180F
U+2000
U+2001
U+2028
U+2029
U+202F
U+205F

This issue occurs in versions prior to Opera 9.52.

NOTE: This issue was previously discussed in BID 30768 (Opera Web Browser 9.51 Multiple Security Vulnerabilities).

Affected Products:

• Gentoo Linux
• Opera Software Opera Web Browser 5.0.0 2 win32
• Opera Software Opera Web Browser 5.0.0 Linux
• Opera Software Opera Web Browser 5.0.0 Mac
• Opera Software Opera Web Browser 5.1.0 0 win32
• Opera Software Opera Web Browser 5.1.0 1 win32
• Opera Software Opera Web Browser 5.12.0
• Opera Software Opera Web Browser 5.12.0 win32
• Opera Software Opera Web Browser 6.0.0
• Opera Software Opera Web Browser 6.0.0 .6win32
• Opera Software Opera Web Browser 6.0.0 6
• Opera Software Opera Web Browser 6.0.0 Win32
• Opera Software Opera Web Browser 6.0.1
• Opera Software Opera Web Browser 6.0.1 linux
• Opera Software Opera Web Browser 6.0.1 win32
• Opera Software Opera Web Browser 6.0.2 linux
• Opera Software Opera Web Browser 6.0.2 win32
• Opera Software Opera Web Browser 6.0.3 linux
• Opera Software Opera Web Browser 6.0.3 win32
• Opera Software Opera Web Browser 6.0.4 win32
• Opera Software Opera Web Browser 6.0.5 win32
• Opera Software Opera Web Browser 6.10.0 linux
• Opera Software Opera Web Browser 7.0.0 1win32
• Opera Software Opera Web Browser 7.0.0 2win32
• Opera Software Opera Web Browser 7.0.0 3win32
• Opera Software Opera Web Browser 7.0.0 win32
• Opera Software Opera Web Browser 7.0.0 win32 Beta 1
• Opera Software Opera Web Browser 7.0.0 win32 Beta 2
• Opera Software Opera Web Browser 7.10.0
• Opera Software Opera Web Browser 7.11.0
• Opera Software Opera Web Browser 7.11.0 b
• Opera Software Opera Web Browser 7.11.0 j
• Opera Software Opera Web Browser 7.20.0
• Opera Software Opera Web Browser 7.20.0 Beta 1 build 2981
• Opera Software Opera Web Browser 7.21.0
• Opera Software Opera Web Browser 7.22.0
• Opera Software Opera Web Browser 7.23.0
• Opera Software Opera Web Browser 7.50.0
• Opera Software Opera Web Browser 7.51.0
• Opera Software Opera Web Browser 7.52.0
• Opera Software Opera Web Browser 7.53.0
• Opera Software Opera Web Browser 7.54.0
• Opera Software Opera Web Browser 8 Beta 3
• Opera Software Opera Web Browser 8.0.0
• Opera Software Opera Web Browser 8.0.0 1
• Opera Software Opera Web Browser 8.0.0 2
• Opera Software Opera Web Browser 8.0.2
• Opera Software Opera Web Browser 8.50.0
• Opera Software Opera Web Browser 8.51.0
• Opera Software Opera Web Browser 8.52
• Opera Software Opera Web Browser 8.53
• Opera Software Opera Web Browser 8.54
• Opera Software Opera Web Browser 9
• Opera Software Opera Web Browser 9.01
• Opera Software Opera Web Browser 9.02
• Opera Software Opera Web Browser 9.10
• Opera Software Opera Web Browser 9.20
• Opera Software Opera Web Browser 9.20 beta1
• Opera Software Opera Web Browser 9.21
• Opera Software Opera Web Browser 9.22
• Opera Software Opera Web Browser 9.23
• Opera Software Opera Web Browser 9.24
• Opera Software Opera Web Browser 9.25
• Opera Software Opera Web Browser 9.26
• Opera Software Opera Web Browser 9.27
• Opera Software Opera Web Browser 9.5
• Opera Software Opera Web Browser 9.50 beta
• Opera Software Opera Web Browser 9.51

References:

• Chris Weber: Advisory: Attack of the Mongolian space evaders! (and other Medieval XSS vectors
• Log0: Interesting XSS In Opera 9.51
• Opera Software: Opera 9.52 Changelog
• Opera Software: Opera Home Page

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.