Firefox for Android: Location Bar Spoofing Risk - The location bar remains hidden when the user manually scrolls down a webpage and another website is loaded during this scroll event
Description:
This Location Bar Spoofing is similare that Bug 1293463 [CVE-2017-5395].
The fix for Bug 1293463 isn't perfect to disable the Spoofing Risk because this patch consists to show the real location bar when the user clicks on a HTML input tag to write something into this input (eg: login or password). The problem of this patch is that multiple websites (eg: banking websites, ...) use a numeric keypad or numeric keyboard to write the user credentials. So, a click on an input tag isn't used by these websites and the real location bar remains hidden leading to the Fake Location Bar continue to be displayed during the writing of credentials when a numeric keypad/keyboard or a fake Android Keyboard is used.