In today's world, where the internet has become an integral part of our daily lives, ensuring security while browsing online is a critical concern. One of the security threats that users face is the potential for hackers to exploit vulnerabilities in web browsers. With this in mind, it is crucial to be vigilant and stay informed about the latest bugs and threats.

In this post, we will delve deep into the CVE-2023-38173, a recently discovered vulnerability in Microsoft Edge for Android that attackers can exploit to spoof the address bar and potentially mislead users into divulging sensitive information. We will provide insight into the details of the vulnerability, evaluate its potential impact, and also look at the available patch and mitigation strategies.

Vulnerability Description

CVE-2023-38173 refers to a spoofing vulnerability in the Microsoft Edge browser for Android. By exploiting this vulnerability, attackers can create visually convincing fake websites to deceive users, manipulate their online experiences, and possibly extract sensitive information like passwords or financial details. Specifically, this vulnerability allows hackers to tamper with the displayed URL in the address bar, making victims believe they are on a legitimate website.

For an in-depth analysis of this vulnerability, you can refer to the original security advisory at

Code Snippet

The following is a simple proof of concept (PoC) that demonstrates how an attacker could exploit the CVE-2023-38173 vulnerability to spoof the address bar in Microsoft Edge for Android, making it appear as if users are browsing, while they actually interact with a malicious web page:

<!DOCTYPE html>
  <title>Address Bar Spoofing - CVE-2023-38173</title>
  <meta name="viewport" content="width=device-width, initial-scale=1">
    function spoofAddressBar() {
      let iframe = document.createElement("iframe"); = "none";
      iframe.src = "";;
      setTimeout(function() {
        history.replaceState({}, "", "/fake_page.html");
      }, 500);
  <h1>Click the button to spoof the address bar.</h1>
  <button onclick="spoofAddressBar()">Spoof Address Bar</button>

Upon clicking the "Spoof Address Bar" button, the web page loads an iframe with the legitimate URL, making it appear in the address bar. However, after a brief delay, the script then replaces the displayed URL with "/fake_page.html," while keeping the domain intact, resulting in a misleading view of the actual web page location.

Exploit Details

The CVE-2023-38173 vulnerability stems from a design flaw in Microsoft Edge for Android, where the JavaScript API history.replaceState() can modify the address bar, even after loading a cross-origin iframe. This means that attackers, through clever use of JavaScript and timed events, can mislead users into leaking their personal information onto convincingly crafted fake websites that share the same domain as the authentic site.

As of now, there are no known instances of this vulnerability being exploited in the wild. Nonetheless, users should be cautious when browsing online, as cybercriminals might attempt to leverage this security loophole.

Patch and Mitigation

Upon discovering this vulnerability, security researchers responsibly disclosed their findings to Microsoft, who subsequently released a patch in their latest security update for Edge on Android. Users should immediately update their browsers to the latest version by visiting the Google Play Store:

This update will help ensure that users are protected from potential attacks exploiting this vulnerability and reduce the risks to their sensitive information as they browse the internet.


The CVE-2023-38173 Microsoft Edge for Android spoofing vulnerability highlights the importance of staying informed about potential threats and being proactive in adopting security patches and mitigation measures. The swift resolution by Microsoft reinforces the need for strong collaboration between the cybersecurity researchers and the industry. Always keep your software up-to-date and stay vigilant when browsing online to minimize risks to your personal information and overall browsing experience.


Published on: 07/21/2023 18:15:00 UTC
Last modified on: 08/01/2023 15:41:00 UTC