Endpoint Vulnerability

Addressbar spoofing though history navigation and Location protocol property

Description

Security researcher Tsubasa Iinuma reported a mechanism where the displayed addressbar can be spoofed to users. This issue involves using history navigation in concert with the Location protocol property. After navigating from a malicious page to another, if the user navigates back to the initial page, the displayed URL will not reflect the reloaded page. This could be used to trick users into potentially treating the page as a different and trusted site.

Affected Products

Firefox ESR

References

CVE-2016-1965,