CVE-2018-7635

Vulnerability

Whale Browser versions prior to 1.0.41.8 exhibit a behavior where the address bar does not display the URL when visiting a blank page (e.g., about:blank). Instead, only the page title is shown [1]. This allows an attacker to craft a web page with a misleading title that appears in the address bar, effectively spoofing the domain. The vulnerability is present in the browser's UI handling of blank pages.

Exploitation

An attacker can host a malicious web page that, when visited, causes the browser to display a blank page (or a page that appears blank) with a crafted title [1]. The attacker does not require any special network position beyond serving the page; user interaction is limited to clicking a link or navigating to the attacker's site. The browser's address bar will show only the attacker-chosen title, omitting the actual URL.

Impact

Successful exploitation allows an attacker to spoof the address bar, making a malicious site appear as a legitimate domain [1]. This can trick users into believing they are on a trusted site, potentially leading to disclosure of sensitive information or further attacks. The impact is primarily on the integrity of the displayed URL, leading to user deception.

Mitigation

The vulnerability is fixed in Whale Browser version 1.0.41.8 and later [1]. Users should update to the latest version. No workaround is available for older versions. The issue is not listed on the CISA KEV as of the publication date.