Security researcher Abdulrahman Alqabandi reported that when a
data:
URI is parsed, the hash ('#') symbol is incorrectly handled, allowing
for spoofing attacks. This issue could result in the wrong URI being displayed as a
location, which can mislead users to believe they are on a different site than the one
loaded.