|Mozilla Firefox 1.5.x before 126.96.36.199 and 2.x before 188.8.131.52, and
SeaMonkey 1.0.9 and 1.1.2, allows remote attackers to spoof or hide
the browser chrome, such as the location bar, by placing XUL popups
outside of the browser's content pane. NOTE: this issue can be
leveraged for phishing and other attacks.