embed/ephy-web-view.c in GNOME Web through 3.31.4 allows address bar spoofing because a page load triggered by JavaScript leads to updating an address as if it were triggered by a safer visit type . This is similar to the CVE-2018-8383 issue in Microsoft Edge.