A malicious site may embed a page in an iframe and modify transactions before submitting to an external wallet

[moodysalem]

The severity of this issue is low/medium.

Repro steps:

1. Malicious site embeds target site, e.g. mycrypto
2. Target site includes this script
3. Target site submits transaction
4. Malicious site manipulates transaction and submits to window.web3 provider
5. window.web3 provider shows confirmation for different transaction than was initiated by target site
6. user does not validate the transaction details match what was initiated by dapp

The easy solution to this is to only allow trusted iframe providers to embed your page in an iframe

[moodysalem]

Another solution is to pass a target origin to the provider, limiting which dapps are supported by this provider automatically.