
Mozilla fixed a similar reverse cross-site scripting flaw in Firefox last November, but this was a lot more serious as it did not require JavaScript to be enabled.
Heise Security has a demonstration of the vulnerability on its website to allow users to determine whether they are vulnerable to the attack.
However, some developers and commentators have questioned whether this constitutes a vulnerability in the browser, as it requires the attacker to place malicious code on the web server.
If an attacker can place script code on a server, they would be able to manipulate the pages anyway, and would have other ways to steal user access data.
Until a fix is released, users are urged to disable JavaScript in their browser or avoid the use of the password manager on sites where users are allowed to post JavaScript pages.