FSC-2023-3: F‑Secure SAFE Browser Sandbox Bypass

Iframed popup could load from sandboxed environment in SAFE Browser.

STATUS: Fixed

RISK LEVEL: Medium

FIX: New version of F‑Secure SAFE (F‑Secure SAFE for iOS 19.3) has been published to related store.

• F‑Secure SAFE for iOS

• All supported platforms for the affected products

F‑Secure SAFE Browser is susceptible to sandboxing bypass even when sandboxed-navigation-browsing-context flag has been set. This happens because nested browsing context within an iframe did not inherit the flag as expected. This could lead to potentially malicious content being loaded within the iframe.

This issue was reported to F‑Secure through the Vulnerability Reward Program. No known exploit or attack has been seen in the wild.

F‑Secure would like to thank Narendra Bhati of Suma Soft Pvt. Ltd. India for bringing this issue to our attention.

We have applied for, but not yet received a CVE identifier for this Advisory. We will update the advisory page once we have obtained the CVE number.

Date issued: 2023-05-03