Security Advisories

CVE-2021-44749: Universal Cross-Site Scripting Vulnerability in F-Secure SAFE Browser Protection for Android


Vulnerabilities in the browser protection of F-Secure SAFE for Android could allow remote attacker to steal user's sessions cookie.



FIX: A fix has been released in the automatic update channel since 18 February 2022. No user action is required if automatic update is enabled.

Affected Products

  • F-Secure SAFE Browser for Android Version 18.5


  • All supported platforms for the affected products

More Information

A vulnerability affecting F-Secure SAFE browser protection was discovered improper URL handling can be triggered to cause universal cross-site scripting through browsing protection in a SAFE web browser. User interaction is required prior to exploitation. A successful exploitation may lead to arbitrary code execution.

This issue was reported to F-Secure through the Vulnerability Reward Program. No known exploit or attack has been seen in the wild.

Mitigating factors

User interaction is required prior to exploitation.


F-Secure Corporation would like to thank Kirtikumar Anandrao Ramchandani for bringing this issue to our attention.

Date Issued: 03-Mar-2022