An address bar spoofing vulnerability affects Apple Safari and Opera Touch. UCWeb, Bolt Browser, Yandex Browser, RITS Browser, and Bolt Browser remain unpatched. The issue stems from using malicious JavaScript code in an arbitrary website to force the browser to update the address bar while the page is still loading to another address of the attacker’s choice. An attacker can set up a malicious website and lure the target into opening the link from a spoofed email or text message, thereby leading an unsuspecting recipient into downloading malware or risk getting their credentials stolen.
Source: https://thehackernews.com/2020/10/browser-address-spoofing-vulnerability.html