Yandex Browser prior to 16.9.0 allows remote malicious users to spoof the address bar via window.open.
yandex yandex browser