reported at the above URL. opening this bug to continue the investigation

PoC appears to be limited to visiting the search term stealing site in the same window where a previous google search page was loaded and used for a search. Searches from other browser windows, other tabs, or the chrome don't appear to be tracable from the stealing site. Anyone else able to confirm this?

This looks to me like a variation of bug 147777... Not a JS Engine issue, anyways.

*** This bug has been marked as a duplicate of 147777 ***

What the script here is doing is just constructing what it thinks the query string would be for a given search site and a given query to see if it is visited.

(In reply to comment #1) > Searches from other browser windows, other tabs, or the chrome don't appear to > be tracable from the stealing site. But if we fixed our History implementation, they might be. As for chrome searches, it could be that they just don't check for the correct URL form. In fact, looking at their source code, they only check for a few very limited variations of each search URL. The POC doesn't work for me, for example, because they only check for: http://www.google.com/search?hl=en&q=[REPLACE] http://www.google.com/search?hl=en&q=[REPLACE]&btnG=Google+Search http://www.google.com/search?hl=en&lr=&q=[REPLACE]&btnG=Search http://www.google.com/search?hl=en&lr=&safe=off&q=[REPLACE]&btnG=Search but my URLs come out as: http://www.google.co.uk/search?hl=en&q=[REPLACE]&btnG=Google+Search&meta= so there are two differences - the .co.uk and the &meta=. That's not to try and minimise the impact; just an observation. Search engines and other generators of search URLs could fix this with an &nonce=4f3c or equivalent on the URLs. Gerv