CVE-2021-40835

URL Address Bar Spoofing in F-Secure SAFE Browser for iOS

Description

An URL Address bar spoofing vulnerability was discovered in Safe Browser for iOS. When user clicks on a specially crafted a malicious URL, if user does not carefully pay attention to url, user may be tricked to think content may be coming from a valid domain, while it comes from another. This is performed by using a very long username part of the url so that user cannot see the domain name. A remote attacker can leverage this to perform url address bar spoofing attack. The fix is, browser no longer shows the user name part in address bar.

Remediation

Solution:

  • Upgrade to version 18.5 or newer from the App Store
4.6
CVSS
Severity: Medium
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.21%
Vendor Advisory f-secure.com Vendor Advisory f-secure.com
Affected: F-Secure F-Secure Mobile Security
Published at:
Updated at:

References

Link Tags
https://www.f-secure.com/en/business/programs/vulnerability-reward-program/hall-of-fame vendor advisory
https://www.f-secure.com/en/business/support-and-downloads/security-advisories vendor advisory

Frequently Asked Questions

What is the severity of CVE-2021-40835?
CVE-2021-40835 has been scored as a medium severity vulnerability.
How to fix CVE-2021-40835?
To fix CVE-2021-40835: Upgrade to version 18.5 or newer from the App Store
Is CVE-2021-40835 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2021-40835 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-40835?
CVE-2021-40835 affects F-Secure F-Secure Mobile Security.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.