Szafir SDK Web is a browser plug-in that launches the SzafirHost application to download necessary files. The vulnerability arises because the `document_base_url` parameter, which specifies the URL context for the application launch, is not validated against the calling web application's actual address. An attacker can craft a malicious website that sets this parameter to an arbitrary URL, causing the SzafirHost application to run with arguments from the attacker-controlled URL. The confirmation prompt displays this URL, but if the user previously accepted execution with the "remember" option, the prompt is bypassed, allowing the application to run silently in the attacker's context and potentially download malicious files. This vulnerability is classified as CWE-348 (Use of Less Trusted Source) and has a CVSS 4.0 score of 5.1 (medium severity). It was fixed in Szafir SDK Web version 0.0.17.4.

An unauthenticated attacker can exploit this vulnerability by hosting a malicious website that triggers the SzafirHost application to run with attacker-controlled arguments and download files from attacker-controlled URLs. This can lead to execution of potentially malicious code or files in the context of the victim's system. If the victim previously allowed execution with the "remember" option, the attack can proceed without user interaction, increasing risk. However, exploitation requires user interaction at least once to accept the prompt unless the "remember" option is set.

Upgrade Szafir SDK Web to version 0.0.17.4 or later, where this vulnerability is fixed. Users who have not updated should be cautious about accepting application execution prompts from untrusted websites, especially avoiding the "remember" option to prevent silent execution. Patch status is confirmed fixed in version 0.0.17.4.