Danyil Vasilenko Bolt Browser Address Bar Spooofing
Description
User Interface (UI) Misrepresentation of Critical Information vulnerability in the address bar of Danyil Vasilenko's Bolt Browser allows an attacker to obfuscate the true source of data as presented in the browser. This issue affects the Bolt Browser version 1.4 and prior versions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Address bar spoofing in Bolt Browser 1.4 and prior lets attackers display a fake URL, enabling phishing attacks.
Vulnerability
Bolt Browser version 1.4 and prior contains an address bar spoofing vulnerability where the user interface misrepresents the true source of data. An attacker can craft a malicious web page that causes the address bar to display a fake URL, hiding the actual origin of the content [1].
Exploitation
An attacker can exploit this vulnerability by luring a victim to visit a specially crafted web page. No authentication or special privileges are required; the victim only needs to use the affected browser. The attacker can obfuscate the true domain in the address bar, making the page appear to originate from a trusted source [1].
Impact
Successful exploitation allows an attacker to deceive the user into believing they are on a legitimate website. This can lead to credential theft, malware distribution, or other phishing attacks, as the user may trust the displayed URL and interact with malicious content [1].
Mitigation
As of the publication date (2020-10-20), no official patch has been released for Bolt Browser. Users are advised to avoid using Bolt Browser version 1.4 or earlier and consider switching to a supported browser that has addressed address bar spoofing issues [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=1.4
- Danyil Vasilenko/Bolt Browserv5Range: 1.4
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The address bar fails to update to reflect the actual page content after JavaScript-driven navigation, allowing an attacker to display a trusted domain while serving arbitrary content."
Attack vector
An attacker hosts a malicious page that executes JavaScript which writes fake content (e.g., a Gmail login page) via `document.write()` and then calls `window.location.assign("https://www.Gmail.com:8080")` while repeatedly triggering the spoof via `setInterval()` [ref_id=1]. Because Bolt Browser preserves the address bar URL of the target domain (e.g., Gmail.com) even though the actual page content is attacker-controlled, the victim sees a trusted domain in the address bar while interacting with fraudulent content. The attack requires no special privileges beyond luring the victim to the attacker's webpage.
Affected code
The vulnerability resides in the address bar handling logic of Bolt Browser version 1.4 and prior. The researcher's proof of concept uses JavaScript's `window.location.assign()` combined with `document.write()` and `setInterval()` to manipulate the displayed URL without a corresponding page load [ref_id=1]. No specific source file or function name is identified in the advisory.
What the fix does
The advisory does not include a patch or specific remediation from the vendor. The researcher notes that disclosure was handled through Rapid7 and that a 60-day timeframe was assigned for fixes, but no update addressing this specific vulnerability in Bolt Browser has been published [ref_id=1]. Without a patch, the recommended mitigation is to ensure the browser's address bar accurately reflects the true origin of loaded content after any navigation or script-driven URL change.
Preconditions
- configVictim must be using Bolt Browser version 1.4 or earlier
- inputVictim must visit an attacker-controlled web page
- configJavaScript must be enabled in the browser
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.