Multiple Address Bar Spoofing Vulnerability in F-Secure SAFE Browser for Android

Vulnerability

The vulnerability exists in F-Secure Internet Security Browser for Android version 19.0 and below. An attacker can exploit the JavaScript window.open functionality to spoof the address bar, potentially displaying a misleading URL to the user. [2]

Exploitation

An attacker would need to craft a malicious web page that uses the window.open method in a way that manipulates the address bar display. The user must visit the attacker-controlled page in the affected browser. No authentication or special network position is required beyond serving the page. [2]

Impact

Successful exploitation allows an attacker to perform address bar spoofing, which could trick the user into believing they are on a legitimate site, potentially leading to phishing or other social engineering attacks. The impact is limited to UI spoofing; no code execution or data theft is directly achieved. [2]

Mitigation

F-Secure released a fix via automatic update channel on May 3, 2022. Users with automatic updates enabled are protected without action. No manual patching is required. The vulnerability is not known to be exploited in the wild. [2]