At this time, Opera is one of the browsers that are struggling to attract more users because the two leaders, Internet Explorer and Firefox, are currently monopolizing the market. In the last weeks, numerous vulnerabilities were discovered in both IE and Mozilla's product so it was quite an opened door for the Opera browser looking to attract new users. Although the leaders were vulnerable several times, Opera is also involved in a security flaw that can allow an attacker to execute cross-site scripting attacks.
“The vulnerability exists because pages that do not specify a charset inherit the charset of the parent page. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of certain sites that are included e.g. via iframes in a malicious page that uses UTF-7 as charset. Successful exploitation requires that the user is tricked into visiting a malicious web site,” security company Secunia mentioned in a security advisory. The firm sustained the vulnerability was confirmed in Opera 9.10 but other versions might be affected too. Although the flaw is rated as less critical, the solution is at least unsafe so you should refuse to open untrusted websites.
Secunia reports that Opera is not the only browser affected by the security flaw, Firefox and Internet Explorer being also vulnerable to cross-site scripting attacks. Although the companies are always looking to fix the reported flaws, it seems like the browsers' developers are not interested in patching the vulnerabilities. The author of the security advisory sustained Mozilla was the only company that responded to the report while Microsoft and Opera were not interested in the advisory.
“Opera did not react at all on our bug report and Microsoft just sent a nonsense mail to us, claiming that we had disclosed this already to the public and that they like getting advance notice. We never heard back from them after that initial email. Not really surprising because it is a similar behavior we previously encountered when dealing with them,” Stefan Esser sustained in the security advisory.