Security News > 2020 > October > JavaScript-based address bar spoofing vulns patched in Safari, Yandex, Opera
Rapid7 found Apple's Safari browser, as well as the Opera Mini and Yandex browsers, were vulnerable to JavaScript-based address bar spoofing.
He went on to explain: "By messing with the timing between page loads and when the browser gets a chance to refresh the address bar, an attacker can cause either a pop-up to appear to come from an arbitrary website or can render content in the browser window that falsely appears to come from an arbitrary website."
Over on his own website, Baloch published proof-of-concept code for exploiting Yandex Browser, Safari and Opera.
Thanks to this research, patches have been issued for UCWeb, Opera Touch, Yandex Browser, Safari and RITS Browser.
"We tend to let our browser auto update which means we can sit back and enjoy browsing securely without having to think about extra protection. However, with some particular browsers, it may not be as straight forward," he explained.
News URL
https://go.theregister.com/feed/www.theregister.com/2020/10/24/browser_address_spoofing/