Improper URL handling by F-Secure Browsing Protection, when combined with multiple low severity issues, can be used to trigger universal cross-site scripting through the Browsing Protection block page in a web browser. User interaction is required prior to exploitation, such as entering a malicious website to trigger the vulnerability.
This issue was disclosed to F-Secure through our Vulnerability Reward Program. No known attack has been observed in the wild at the time of the advisory release.
HTTPS connection is not vulnerable to this attack.
|F-Secure SAFE for Windows
||17.0 and below||A fix has been released in the automatic update channel since 1st November 2017. No user action is required if automatic update is enabled.|
|PSB Computer Protection||17.5 and below||A fix has been released in the automatic update channel since 1st November 2017. No user action is required if automatic update is enabled.|
F-Secure Corporation would like to thank Juho Nurminen for bringing this issue to our attention.
|6 December 2017||Advisory first published.
|11 December 2017||
Date Issued: 2017-12-06