A software engineer from online analytics company Spider.io is claiming that a security flaw in Internet Explorer 6-10 could allow attackers or advertisers to track user's mouse movements, potentially compromising data entered via virtual keyboards.
Nick Johnson, who previously worked for Google before joining Spider.io, posted details of the flaw on the
Bugtraq mailing list this morning.
"Internet Explorer's event model populates the global Event object with some attributes relating to mouse events, even in situations where it should not. Combined with the ability to trigger events manually using the fireEvent() method, this allows JavaScript in any web page (or in any iframe within any web page) to poll for the position of the mouse cursor anywhere on the screen and at any time — even when the tab containing the page is not active, or when the Internet Explorer window is unfocused or minimized."