Moderate
Pages displayed inside an iframe will inherit the character encoding of the parent page, unless they specify their own character encoding.
A malicious page that uses the UTF-7 character encoding can include other sites, for example inside iframes. This can be exploited to perform cross-site scripting on certain sites, allowing the attacker to get access to the user's session data for those sites.
To exploit this vulnerability, the attacker must get the user to access a specially crafted Web page.
Opera has released Opera 9.20, which restricts character encoding inheritance so that it is only applied to content from the same site as the parent document.
Thanks to Stefan Esser for making Opera Software aware of this vulnerability.
Need help? Hit F1 anytime while using Opera to access our online help files, or go here.