CVE-2024-40866: 
Apple Safari vulnerability analysis and mitigation

A vulnerability was discovered in Safari and macOS Sequoia affecting address bar spoofing (CVE-2024-40866). The issue was identified and fixed in Safari 18 and macOS Sequoia 15, released on September 16, 2024. The vulnerability affects Safari browser and macOS operating systems, allowing potential address bar spoofing when visiting malicious websites (Apple Safari, Apple macOS).

The vulnerability is classified with a CVSS v3.1 Base Score of 6.5 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N. The issue was related to the WebKit engine and was addressed by improving the user interface implementation. The vulnerability requires user interaction and can be exploited through network access (NVD).

When exploited, this vulnerability could allow attackers to perform address bar spoofing attacks through malicious websites. This could potentially mislead users about the website they are visiting, enabling phishing attacks or other forms of deception (Apple Safari).

Apple has addressed this vulnerability by releasing patches in Safari 18 and macOS Sequoia 15. Users are advised to update to these versions to protect against potential exploitation. The fix involves improvements to the user interface implementation in WebKit (Apple Safari, Apple macOS).

The vulnerability was discovered and reported by Hafiizh and YoKo Kho (@yokoacc) of HakTrak, demonstrating ongoing security research in the WebKit ecosystem (Apple Safari).