Commotionfever

**Name of the Vulnerable Software and Affected Versions** DuckDuckGo versions 5.58.0 and earlier for Android DuckDuckGo versions 7.47.1.0 and earlier for iOS **Description** The application sends hostnames of visited web sites within HTTPS .ico requests to servers in the duckduckgo.com domain. This might make visit data available temporarily at a potentially unwanted endpoint. The vendor has stated that the favicon service adheres to their strict privacy policy. **Recommendations** For DuckDuckGo versions 5.58.0 and earlier for Android, consider disabling the favicon service until a patch is available. For DuckDuckGo versions 7.47.1.0 and earlier for iOS, consider disabling the favicon service until a patch is available. At the moment, there is no information about a newer version that contains a fix for this issue.