Security advisories

FSC-2023-3: F‑Secure SAFE Browser Sandbox Bypass

Description

Iframed popup could load from sandboxed environment in SAFE Browser.

STATUS: Fixed

RISK LEVEL: Medium

FIX: New version of F‑Secure SAFE (F‑Secure SAFE for iOS 19.3) has been published to related store.

Affected products

  • F‑Secure SAFE for iOS

Affected platforms

  • All supported platforms for the affected products

More information

F‑Secure SAFE Browser is susceptible to sandboxing bypass even when sandboxed-navigation-browsing-context flag has been set. This happens because nested browsing context within an iframe did not inherit the flag as expected. This could lead to potentially malicious content being loaded within the iframe.

This issue was reported to F‑Secure through the Vulnerability Reward Program. No known exploit or attack has been seen in the wild.

Credits

F‑Secure would like to thank Narendra Bhati of Suma Soft Pvt. Ltd. India for bringing this issue to our attention.

Note

We have applied for, but not yet received a CVE identifier for this Advisory. We will update the advisory page once we have obtained the CVE number.

Date issued: 2023-05-03