By exploiting a flaw in the "Harmful web site blocked" page shown in web browser by F-Secure SAFE, it is possible to gain JavaScript execution on an arbitrary website.
Improper URL handling by F-Secure Browsing Protection, when combined with multiple low severity issues, can be used to trigger universal cross-site scripting through the Browsing Protection block page in a web browser. User interaction is required prior to exploitation, such as entering a malicious website to trigger the vulnerability.
This issue was disclosed to F-Secure through our Vulnerability Reward Program. No known attack has been observed in the wild at the time of the advisory release.
HTTPS connection is not vulnerable to this attack.
Product | Versions | Download |
---|---|---|
F-Secure SAFE for Windows |
17.0 and below | A fix has been released in the automatic update channel since 1st November 2017. No user action is required if automatic update is enabled. |
PSB Computer Protection | 17.5 and below | A fix has been released in the automatic update channel since 1st November 2017. No user action is required if automatic update is enabled. |
F-Secure Corporation would like to thank Juho Nurminen for bringing this issue to our attention.
Date | Changes |
---|---|
6 December 2017 | Advisory first published. |
11 December 2017 |
|
Date Issued: 2017-12-06