Skip to main content

Browser Address Spoofing Vulnerability

Details of a vulnerability in how some browsers load their address bars has been disclosed by a security researcher.
Threat ID:
CC-2662
Category:
Exploit
Threat Severity:
Medium
Threat Vector:
Published:
12 September 2018 12:00 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

Details of a vulnerability in how some browsers load their address bars has been disclosed by a security researcher.

Affected platforms

The following platforms are known to be affected:

Safari

  • Apple Safari - All versions
  • Microsoft Edge - Versions prior to 17134.228

Threat details

Threat actors could exploit this vulnerability to spoof legitimate websites and redirect users to malicious sites.

The vulnerability lies in how the browsers allow JavaScript from loading websites to alter the information displayed within the address bar. When a loading website requests data from a non-existent port it can cause any changes to the displayed URL to be delayed. This delay can then be extended using the setInterval function, however the browser will eventually load the correct URL.

For further information:

Remediation steps

Type Step

Microsoft released an update in August 2018 to address this vulnerability. Users are encouraged to apply this update on their affected systems.

Apple have acknowledged the vulnerability and have stated that an update is being produced. Users are encouraged to apply this update as soon as it becomes available.

CVE Vulnerabilities

Status

CVE-2018-8383

Last edited: 17 February 2020 12:39 pm