QTweb 3.7.2 and 3.7.3 (buils 087) URL weakness lets remote attackers to do Spoof or phishing attacks

[GoogleCodeExporter]

What steps will reproduce the problem?
1. create a html doc with some html code
2. open this html and click in "prepared" link
3.

What is the expected output? What do you see instead?

browser shows real URL But it has a weakness and a attacker can show a empty 
URL.
This weakness can be used for pishing or spoof attacks because you can think 
that you are in bank of america for example and the browser don't show nothing 
in  URL :) see qt1.jpg 

Also a attacker can compose a popup with atributes 
'toolbar=0,scrollbars=0,location=0,statusbar=0,menubar=0 and it can be used too 
for spoof or phishing attacks. see qt2.jpg

I have a Proof of Concept for this issue...

What version of the product are you using? On what operating system?

QTweb 3.7.2 and 3.7.3 (buils 087) and posible prior versions.

Please provide any additional information below.

Original issue reported on code.google.com by lost...@gmail.com on 28 Sep 2011 at 4:46

Attachments:

• qt1.jpg
• qt2.jpg