F-Secure SAFE Browser for Android Vulnerable to Address Bar Spoofing

More information

An address bar spoofing vulnerability was discovered in SAFE Browser for Android. When user clicks on a specially crafted a malicious URL, it appears like a legitimate one on the address bar, while the content comes from other domain and presented in a window, covering the original content. A remote attacker can leverage this to perform address bar spoofing attack.

This issue was reported to F-Secure through the Vulnerability Reward Program. No known exploit or attack has been seen in the wild.


F-Secure Corporation would like to thank following person for bringing this issue to our attention.

Narendra Bhati



  • F-Secure SAFE Browser is vulnerable to address bar spoofing.
  • Status

  • Resolved
  • Risk level

  • Medium
  • Fix

  • Upgrade to version 18.4.x or newer from Google Play
  • Affected products

  • Corporate Products: F-Secure SAFE Browser version 18.3.x and below
  • Platforms

  • Android
  • Date issues

  • 11/8/2021
  • Security advisories
  • 2021
  • Medium