According to Fortify's paper, applications may be vulnerable if they use JavaScript as a data transfer format and if they handle confidential data.

Nobody knows if this vulnerability is currently being used to steal data. That's because if somebody were using it for thievery, it would be undetectable, Chess said: "It very well could be being exploited right now and we wouldn't know it."

As far as how to fix it goes, Fortify's paper gets into the details. In many cases it would take as few as a dozen lines of code. What's of added interest, Chess said, is how the vulnerability came to be in the first place.

"We've got Web 2.0/AJAX kind of guys who want to do things with browsers and HTML and … [they] really weren't designed to do the work," he said. "[They're using] hacks and kludges to make things work. Sometimes that has unforeseen consequences. You get cobbled-together AJAX."

What's needed are standards and protocols and Web browsers that support them, Chess said. The teams at Microsoft and Mozilla that maintain IE and Firefox are where "the rubber hits the road," he said.

"Once they agree something's a standard, it's a standard," he said. There's a lot of people who try to influence them, but it's really they we look to and take cues from."

This vulnerability will likely further motivate standards setting bodies such as the IETF or the W3C, Chess said. Such organizations have often been where Microsoft's and Mozilla's people have come together to determine what will happen with standards and protocols.

"I think this will further motivate them," Chess said. "They've known about problems in this neighborhood. … But I don't think they've understood what a big deal their security decisions would be."

This article was originally published on eWeek.com.

Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK's Security Watch blog.