Safari in Apple iOS before 9.2 allows remote attackers to spoof a URL in the user interface via a crafted web site.