JavaScript vulnerabilities in Opera could allow hackers to access users' cookies and other potentially sensitive files.

Veteran bug hunter Georgi Guninski has discovered that versions of the Web browser on both Windows and Linux allow the execution of script code across domains.

This means it's possible for a hacker to set up malicious script code on a Web page which, when executed by Opera, allows access to the cookie-based authentication credentials of another Web site, Guninski warns. Cookies can contain sensitive information, such as usernames/passwords.

The vulnerabilities (which are believed to affect Opera 5.02, 5.10, 5.11 and 5.12 for Windows as well as Opera 5.0 for Linux) may also expose a browser's cache and history files.

Jon Von Tetzchnor, chief executive of Opera, told us that testing and development for a patch to fix the problem is underway, and a solution should be available by the end of the month. He also points out that Internet Explorer and Netscape browsers have been affected by similar cross-site scripting flaws in the past.

In the meantime Opera advises users to consider disabling JavaScript execution and enabling the "use cookies to trace password protected documents" option, which addresses the most troubling aspect of the problem. ®

External Links

Opera Cross-Site Scripting Vulnerability (from BugTraq)
Guninski 's advisory

Related Stories

Opera tolerating MSN.co.uk goes live
Opera to challenge e-envoy over UK govt 'Windows tax'
Opera to be default browser in Symbian ref designs
Opera 5.0 for Linux to ship next week
Opera browser goes free with version 5.0 launch
Guninski finds new ActiveX security hole in OXP
MS gets hacked off with bug hunter