Firefox does not properly handle JavaScript "onUnload" events and can be tricked into taking the user to an unintended destination, said security researcher Michal Zalewski. "This flaw allows the attacker to track your footsteps and either redirect you to the URL you wanted to visit, which wouldn't be noticed at all, or to a similarly named phishing Web site when you choose to visit a target of some significance," Zalewski said.

The bug affects the just-released Firefox 2.0.0.2 and 1.5.0.10 updates, as well as Microsoft's Internet Explorer 7. JavaScript can be disabled in the browsers to block such redirects.

"The big difference in the two browsers is that Firefox 2.0.0.2 displays the correct address for the redirected site in the address bar," Symantec Corp. said in a warning Tuesday. "IE7, however, continues to display the URL that the user typed into the address bar, leading to a false sense of security."

Mozilla fixed 15 flaws Friday in Firefox 2.0.0.2 and 1.5.0.10, as opposed to the 14 . An overlooked security update in the revised browsers patches another Zalewski vulnerability, Mozilla said Tuesday.

"Firefox 2.0.0.2 update includes fixes for the bugs that researcher Michael Zalewski reported last week, including the hostname vulnerability, cookie issue, and memory corruption issue," Window Snyder, Mozilla's chief security executive, said in an e-mail.