embed/ephy-web-view.c in GNOME Web (aka Epiphany) through 3.31.4 allows address bar spoofing because a page load triggered by JavaScript leads to updating an address as if it were triggered by a safer visit type (e.g., VISIT_LINK, VISIT_TYPED, VISIT_BOOKMARK, or VISIT_HOMEPAGE). Upstream issue: https://gitlab.gnome.org/GNOME/epiphany/issues/532
Created epiphany tracking bugs for this issue: Affects: fedora-all [bug 1667410]
Note the CVE description and affected component are wrong. Affected component is WebKitGTK. Suggested description: Processing maliciously crafted web content may lead to spoofing. WebKitGTK and WPE WebKit were vulnerable to a URI spoofing attack similar to the CVE-2018-8383 issue in Microsoft Edge.
Better upstream issue: https://bugs.webkit.org/show_bug.cgi?id=194208
Earlier this flaw was filed with wrong description and wrong component as reported. Updated with correct information: CVE-2019-6251: Processing maliciously crafted web content may lead to spoofing. WebKitGTK and WPE WebKit were vulnerable to a URI spoofing attack similar to the CVE-2018-8383 issue in Microsoft Edge. Reference: https://webkitgtk.org/security/WSA-2019-0002.html https://wpewebkit.org/security/WSA-2019-0002.html
Created mingw-webkitgtk tracking bugs for this issue: Affects: fedora-all [bug 1709313]
Created mingw-webkitgtk tracking bugs for this issue: Affects: epel-7 [bug 1709314] Created mingw-webkitgtk3 tracking bugs for this issue: Affects: epel-7 [bug 1709315]
Created webkit2gtk3 tracking bugs for this issue: Affects: fedora-all [bug 1717747]
https://gitlab.gnome.org/GNOME/epiphany/issues/532#note_474517 says this was fixed already for webkitgtk-2.24.1, see also https://bugs.webkit.org/show_bug.cgi?id=194208 and https://www.webkitgtk.org/security/WSA-2019-0002.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:4035 https://access.redhat.com/errata/RHSA-2020:4035
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-6251