(CVE-2018-8383/CVE-2019-6251) Address bar spoofing
Dear Team,
Product affected: Epiphany 3.28.3.1
Tested on: Fedora-Workstation-x86_64-28-1.1
Steps to reproduce
- Open epiphany
- Navigate to spoof.html
- The address bar spoof
Abstract
The epiphany allow javascript to update the address bar while the page was still loading. Upon requesting data from a non-existent port the address was preserved and hence a due to race condition over a resource requested from non-existent port combined with the delay induced by setInterval function managed to trigger address bar spoofing. It causes browser to preserve the address bar and to load the content from the spoofed page. The browser will however eventually load the resource, however the delay induced with setInterval function would be enough to trigger the address bar spoofing.
Marking this as confidential, because an attacker can use such crafted JS to retrieve sensitive details from the end user.Request team to have a look and validate.
Reference: https://www.rafaybaloch.com/2018/09/apple-safari-microsoft-edge-browser.html