Security Advisories
FSC-2017-4: Universal Cross-Site Scripting in F-Secure SAFE For Windows
Description
By exploiting a flaw in the "Harmful web site blocked" page shown in web browser by F-Secure SAFE, it is possible to gain JavaScript execution on an arbitrary website.
Affected Products
- Risk Level (Low/Medium/High/Cricital) Medium
- F-Secure SAFE 17.0 and below
- Protection Service for Business (PSB) Computer Protection 17.5 and below
Platforms
- Risk Level (Low/Medium/High/Cricital) Medium
- Windows
More Information
Improper URL handling by F-Secure Browsing Protection, when combined with multiple low severity issues, can be used to trigger universal cross-site scripting through the Browsing Protection block page in a web browser. User interaction is required prior to exploitation, such as entering a malicious website to trigger the vulnerability.
This issue was disclosed to F-Secure through our Vulnerability Reward Program. No known attack has been observed in the wild at the time of the advisory release.
Mitigating Factors
HTTPS connection is not vulnerable to this attack.
Fix Available
| Product | Versions | Download |
|---|---|---|
| F-Secure SAFE for Windows |
17.0 and below | A fix has been released in the automatic update channel since 1st November 2017. No user action is required if automatic update is enabled. |
| PSB Computer Protection | 17.5 and below | A fix has been released in the automatic update channel since 1st November 2017. No user action is required if automatic update is enabled. |
Credits
F-Secure Corporation would like to thank Juho Nurminen for bringing this issue to our attention.
Advisory Changes
| Date | Changes |
|---|---|
| 6 December 2017 | Advisory first published. |
| 11 December 2017 |
|
Date Issued: 2017-12-06