In 2008, we prepared a quick short demo about "Cross-Domain Autcomplete Data Access" or "How Bad Guys Steal your Login Info Smartly".
Brandon the explained the root cause in a simple way in the Bugzilla post:
When using window.open and some APIs to navigate the opened document, it is possible to navigate the opened document to a different site, while the location bar doesn't stay in sync with the new location.
The visible part was attacker's controlled web site with contents from his targeted web site. The background end result was being able to inject his controlled scripts into his targeted web sites.
The vulnerability went far beyond the URL spoofing. In a normal URL spoofing vulnerability, the script execution ties only to the localhost itself.
Apparently, this window.open trick was used as URL spoofing test vector since the early days of Firefox 1.x/2.x and Internet Explorer 6.x. It is surprised to see new versions of Firefox re-introduced the old issue.
It has been recommended to use a single-browser based approach on accessing critical web sites. This advice was not feasible for those web 2.0 applications which have plethora of complex third-party integration. For example, you have to use your Google account to post comments or purchase applications from Google store.
However, critical applications such as Banking should not rely third-party systems to do their operations so users can use the "single-browser, single domain" approach to safely use the service.