Netscape Communications Corp.'s Communicator is a popular web-browsing package that includes a web browser (Navigator), e-mail client, news client, and address book.
Socially engineering users of Netscape Communicator 4.x's web browser and e-mail client into clicking on a malicious link could return the contents of the targeted user's preferences file back to a remote attacker.
files to redefine internal functions.
Remote exploitation allows an attacker to steal user preferences, including the victim's real name, e-mail address, e-mail server, URL history and, in some cases, e-mail password.
Netscape Communicator 4.x is vulnerable. Communicator 6 and later is not vulnerable, being it stores the prefs.js file in a randomized location.
The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project assigned the identification number CAN-2002-1204 to this issue.
08/29/2002 Issue disclosed to iDEFENSE
10/14/2002 Netscape notified (email@example.com,
10/14/2002 iDEFENSE clients notified
10/31/2002 Second attempt at vendor contact
11/07/2002 Third attempt at vendor contact
11/19/2002 Public disclosure
Bennett Haselton (firstname.lastname@example.org) discovered this vulnerability.