Mozilla Foundation Security Advisory 2016-82

Addressbar spoofing with right-to-left characters on Firefox for Android

Announced
August 2, 2016
Reporter
Rafay Baloch
Impact
Moderate
Products
Firefox
Fixed in
  • Firefox 48

Description

Security researcher Rafay Baloch reported a mechanism to spoof the addressbar in Firefox for Android using right-to-left character sets when combined with left-to-right characters. This can be used to cause only certain portions of the loaded left-to-right character portion of the URL to be displayed, misleading users as to what site is loaded, possibly leading to phishing attacks.

This vulnerability does not affect the desktop version of Firefox.

References