Address Bar Spoofing Vulnerability in F-Secure SAFE Browser for Android

Vulnerability

An address bar spoofing vulnerability (CVE-2022-28868) exists in the F‑Secure Internet Security Browser (formerly Safe Browser) for Android. The bug affects versions 18.6 and below [2]. When a user clicks a specially crafted malicious URL, the address bar briefly displays the next legitimate-looking URL while the page is still loading, creating a window where the displayed domain does not match the actual content [1][2].

Exploitation

To exploit this vulnerability, an attacker must craft a malicious webpage or URL and convince the user to click on it. No special network position or authentication is required; the attack relies on the user clicking a link. The spoofing effect is transient—it persists only until the malicious page fully loads [1][2]. The vulnerability is reachable without any specific configuration beyond standard browser usage.

Impact

Successful exploitation can trick a user into believing that the content they are seeing originates from a trusted domain, when in fact it is served from an attacker-controlled site. This can lead to a loss of trust and potentially enable phishing or other social-engineering attacks, though the impact is limited to the visual spoofing period before the page loads [1][2]. The vulnerability does not directly allow code execution or data exfiltration beyond the user's misinterpretation of the address bar.

Mitigation

The vulnerability has been fixed in a release that was pushed via automatic update on 13 April 2022 [2]. Users of F‑Secure Internet Security Browser for Android (version 18.6 and below) should ensure that the browser updates to the latest version; no manual action is required for the update to apply [2]. No workaround is necessary for already-updated installations. No published exploit in the wild has been reported, and the issue is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog [2].