A Safari browser address bar vulnerability allowing well designed phishing attacks which are difficult to detect has been patched with the release of Safari 12. We recommend that users patch to iOS 12 asap. For update instructions, please see: https://support.apple.com/en-us/HT201222. For information on the security content of Safari 12, please see: https://support.apple.com/en-us/HT209109.
Vulnerability specifics: Safari (versions prior to 12) permitted JavaScript to update the address bar before it loaded completely. A malicious actor could begin loading a legitimate web page, which would cause the legitimate URL to appear in the browser’s address bar. The code could then be quickly replaced with a malicious site while the browser preserves the legitimate address and loads the content of a spoofed page. This type of attack could be used to spoof any website, including banking websites, Gmail, Facebook, Twitter . . . etc., in an attempt to steal user credentials and sensitive information.
A similar vulnerability in Microsoft Edge was patched by Microsoft on August 14th. Google Chrome and Mozilla Firefox are reportedly not impacted by this vulnerability.