CVE-2020-27970: 
Yandex Browser vulnerability analysis and mitigation

Yandex Browser before version 20.10.0 was discovered to contain an address bar spoofing vulnerability identified as CVE-2020-27970. The vulnerability was disclosed and documented on September 13, 2021, affecting all versions of Yandex Browser prior to version 20.10.0 (NVD, Yandex BugBounty).

The vulnerability has been assigned a CVSS v3.1 Base Score of 5.3 (MEDIUM) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. Under CVSS v2.0, it received a Base Score of 5.0 (MEDIUM) with a vector of (AV:N/AC:L/Au:N/C:N/I:P/A:N). The vulnerability is classified under CWE-290 (Authentication Bypass by Spoofing) (NVD).

The vulnerability allows remote attackers to spoof the address bar, which could potentially lead to phishing attacks where users might be tricked into believing they are visiting legitimate websites while actually being on malicious ones (NVD).

The vulnerability was addressed in Yandex Browser version 20.10.0. Users should upgrade to this version or later to mitigate the risk (Yandex BugBounty).

The vulnerability was discovered and reported by security researcher Kirtikumar Anandrao Ramchandani through Yandex's bug bounty program. Yandex acknowledged the finding by including it in their Browser Hall of Fame and issuing a CVE (Yandex BugBounty).