CVE-2009-3017

Name of the Vulnerable Software and Affected Versions: Orca Browser version 1.2 build 5

Description: The issue allows remote attackers to conduct cross-site scripting (XSS) attacks via several vectors related to improper handling of data: URIs in Refresh and Location headers in HTTP responses, and javascript: URIs in HTML links within 302 error documents sent from web servers. This includes injecting Refresh or Location headers with JavaScript sequences in a data:text/html URI, or entering a data:text/html URI with JavaScript sequences when specifying the content of these headers. Additionally, user-assisted remote attackers can conduct XSS attacks by injecting a Location HTTP response header or specifying its content.

Recommendations: For Orca Browser version 1.2 build 5, as a temporary workaround, consider disabling the handling of data: URIs in Refresh and Location headers, as well as javascript: URIs in HTML links within 302 error documents, until a patch is available. Restrict access to potentially vulnerable web pages to minimize the risk of exploitation. Avoid using the Location and Refresh headers in HTTP responses until the issue is resolved.