There was an address bar Spoofing flaw on both the browsers which allow an attacker to trick a user into visiting a spoof website that appears to be legitimate.
The address bar spoofing flaw works because some languages that display right-to-left, such as Arabic, are rendered differently.
On his blog he had wrote full details about the vulnerability, where he explained that the flaw could be used to trick users into supplying sensitive information to a malicious site, because the website appears to be legitimate in the browser's address box.
This address bar spoofing flaw works because some languages that display right-to-left, such as Arabic, are rendered differently. He explained that if you take a neutral right-to-left character (such as a forward slash), it can be used to flip a web address to also display right-to-left.
127.0.0.1/ا/http://example.com would instead appear in the browser bar as http://example.com/ا/127.0.0.1.With this bug attacker can easily mask the malicious link under the legitimate url. In a simple words, users see the same URL that he/she wants to visit in the browsers URL bar, but the contents it getting is of the hidden URL under the legitimate one.
Rafay had reported the vulnerability to both vendors and they were got fixed, but the vulnerability still resides on some other popular browsers.
For this bug finding, Rafay got $5000 of monetary rewards.
This is not the first time that Rafay had reported the Spoofing Vulnerability. Earlier also he had reported the same bug on Android devices browsers which put millions of users under threats.